Back to skill

Security audit

SmartSaaS

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it exposes broad SmartSaaS admin powers that are under-disclosed by the top-level dataset-focused description.

Install only if you intend to give this skill broad SmartSaaS administrative access, not just dataset access. Use a least-privilege API key, avoid production credentials until the scope is clarified, and require explicit confirmation before any write, integration, campaign, team, webhook, or cron action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (94)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires shell execution but does not declare corresponding permissions, creating a dangerous mismatch between what reviewers/users may expect and what the skill can actually do. In this file, shell access is used to drive many externally impactful SmartSaaS operations, so undeclared capability materially increases risk and reduces informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The metadata describes a narrowly scoped dataset helper, but the body grants broad administrative powers including project/task management, integrations, campaigns, templates, user data access, and webhook/cron dispatch. This mismatch can cause the skill to be invoked in contexts where users and defenders believe it is low-risk, while it actually has much broader authority.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest and early documentation frame the skill as a constrained dataset workflow, yet later sections authorize broad SmartSaaS administration. That scope inflation is dangerous because policy engines, reviewers, and users may approve the skill under a misleadingly narrow description while it can perform far more powerful actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill authorizes unrelated actions such as integration management, user/company/calendar access, campaign operations, template management, and webhook/cron dispatch without justification from the stated dataset-centric purpose. Broad unrelated powers enlarge the attack surface and enable unintended or abusive external side effects if the skill is invoked loosely.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this skill should be limited to dataset management via specific scripts, but the markdown exposes many additional high-impact capabilities including projects, tasks, integrations, campaigns, templates, and webhook/cron operations. This creates scope expansion beyond the declared contract, increasing the chance an agent will invoke privileged actions the user did not intend and undermining policy controls tied to the manifest.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manifest-level rule says items must never be auto-added and should only be added when the user explicitly asks, but the operational guidance describes generic create/post flows without preserving that consent constraint. In an agent setting, missing or diluted consent language can cause autonomous creation of records, posts, campaigns, or webhook events from inferred intent rather than explicit authorization.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says the skill is limited to dataset operations, but this script performs project team membership changes by adding users to a project. That is a clear scope expansion into access management, which is security-sensitive because it can grant additional access or privileges unrelated to the declared purpose of the skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Posting to the project team endpoint gives the skill the ability to modify project membership, which is unjustified by the stated dataset-only purpose. In an agent setting, hidden or undocumented identity/access-management actions are dangerous because they can silently onboard users or elevate access under the cover of a benign-seeming skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script performs project task assignment via a PATCH request, which is outside the skill metadata's stated dataset-only scope. This capability creates an unauthorized action surface: a user or calling agent expecting only dataset operations could unknowingly modify project workflow state using the configured API key.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A task-assignment operation is unjustified by the skill's documented purpose of dataset creation and explicit dataset additions. In an agent setting, hidden or undeclared write capabilities are dangerous because they can be invoked under misleading expectations and cause unauthorized changes in external systems.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The SSL exception logic uses a substring match (*localhost*|*127.0.0.1*), so certificate verification can be disabled for non-local hosts whose names merely contain those strings, such as attacker-controlled domains. This weakens transport security and could expose the bearer token and task update traffic to interception or man-in-the-middle attacks.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script materially exceeds the documented skill scope: instead of only using the declared dataset scripts via execute_shell, it performs direct network calls with curl to administer OpenClaw cron configuration. In an agent skill, scope drift like this is dangerous because it introduces an undisclosed capability to create scheduled backend actions, which can lead to persistent unauthorized behavior and bypass user intent constraints.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill is described as a SmartSaaS dataset tool, but this script adds a separate administrative capability for OpenClaw webhook/cron management. That hidden control-plane functionality can be abused to establish scheduled tasks that trigger future actions without fresh user requests, making the skill substantially more dangerous in this context than the manifest suggests.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header explicitly states the backend may register jobs that dispatch to the OpenClaw webhook, which conflicts with the manifest rule that items must only be added on explicit user request and never auto-added. Even if the script only sets configuration, enabling scheduled dispatch creates a mechanism for autonomous follow-on actions that can undermine that safety guarantee.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script adds a sales campaign creation capability that is not disclosed in the skill metadata, which only describes dataset creation and adding explicitly user-requested items to datasets. This mismatch is dangerous because it expands the agent's effective privileges and can be used to perform unintended business actions under the cover of a benign-seeming dataset-management skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code directly invokes a protected sales endpoint to create campaigns, which is outside the stated purpose of the skill and therefore constitutes hidden functionality. In agent environments, concealed side-effecting capabilities are especially dangerous because users and orchestrators may grant trust or credentials based on the narrower declared purpose.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The inline documentation advertises an undocumented script and usage surface that conflicts with the manifest's described scripts and constraints, indicating the skill contains undeclared operational paths. Such discrepancies are a strong indicator of deceptive packaging and increase the chance that an agent will invoke unsafe behavior users did not authorize.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says the skill is for dataset management and explicitly references dataset-only scripts, but this file adds a separate capability to create remote email templates. That scope expansion is dangerous because it grants the agent an undeclared content-creation action against a protected API, increasing the chance of unauthorized or surprising side effects when the skill is invoked.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script performs a POST to a protected template-creation endpoint even though the stated purpose of the skill is dataset management. In this context, the mismatch makes the behavior more dangerous because a user or orchestrator may trust the skill for low-risk data operations while it actually has the power to create customer-facing email content remotely.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs privileged knowledge-article creation even though the skill metadata declares a dataset-only scope and explicitly says to use only the dataset scripts. That scope mismatch is dangerous because it introduces undeclared write capabilities that an agent or operator may not expect, enabling unauthorized content creation in a different product area.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file's own usage comments and behavior document a curl-based knowledge creation workflow that conflicts with the manifest's stated operational model of positional dataset scripts only and 'never curl.' This inconsistency increases the chance that reviewers, agents, or users misunderstand the true permissions of the skill and accidentally invoke undeclared remote write behavior.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script adds an undeclared project-creation capability that is outside the skill metadata, which only describes dataset-related actions. This mismatch is dangerous because users or higher-level agents may trust the declared scope and unknowingly invoke broader state-changing operations against the SmartSaaS backend.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The project-management API call is unjustified by the skill's stated dataset-focused purpose, making it an unnecessary privilege/capability expansion. In agent settings, hidden or unrelated write operations are risky because they can be triggered under false assumptions about what the skill is allowed to modify.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says the skill is dataset-focused and explicitly describes only dataset creation/addition scripts, but this file creates project work-package tasks against a protected API endpoint. That scope mismatch is dangerous because users and orchestrators may grant trust or permissions based on the manifest, while the skill performs undisclosed remote state-changing actions with an API key.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The skill metadata says scripts should be run via execute_shell and 'never curl', but the script directly invokes curl to POST to a remote API. This discrepancy undermines operator expectations and policy enforcement, and can bypass controls that rely on the declared execution model or prohibited network behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.