Security audit

Affiliate Skills

Security checks across malware telemetry and agentic risk

Overview

This package does not show malware, but it should go to Review because the installed artifacts are broader and more persistent than the main affiliate-check description suggests.

Install only if you want the full Affitor affiliate-marketing suite, not just a lookup helper. Review generated public-facing content before posting, keep affiliate disclosures visible, do not use the Reddit guidance for ban evasion or stealth promotion, set AFFITOR_API_KEY only when needed, stop the daemon when finished, and do not run distribution/publishing scripts unless you are intentionally maintaining or publishing the package.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (120)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 76% confidence
Finding: The skill declares only Bash and Read, but its documented behavior clearly relies on network access to list.affitor.com and reads environment state via AFFITOR_API_KEY. This permission/capability mismatch can mislead reviewers and users about what the skill will access, weakening trust boundaries and increasing the chance of unintended data exposure or unreviewed outbound connections.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The prompt instructs the agent to clone/fetch and thoroughly review an external repository, which materially expands the skill from affiliate-program lookup into broad repository access and analysis. In an agent context, this creates unnecessary capability scope, increases exposure to prompt injection from untrusted repo content, and can cause data access or actions unrelated to the skill’s stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The review prompt grants broad codebase auditing authority over arbitrary files and asks for comprehensive analysis beyond the documented scope of the affiliate-check skill. This overbroad authority is dangerous because an agent may ingest and act on hostile instructions embedded in repositories, access unrelated sensitive material, or perform excessive work not justified by the requested affiliate research task.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The bootstrap prompt materially broadens the skill from a data lookup utility into a general-purpose affiliate marketing agent that generates content, landing pages, funnels, automation, and distribution plans. This scope expansion can cause downstream agents to perform actions or produce advice outside the reviewed and declared capability boundary, increasing the risk of policy bypass, unsafe marketing guidance, or misuse of untrusted web/pasted data under the guise of a narrowly scoped tool.

Intent-Code Divergence

Low

Confidence: 86% confidence
Finding: The prompt asserts access to authoritative live affiliate data but permits fallback to user-pasted results or generic web search, which weakens provenance and can mislead the model into treating unverified information as equivalent to trusted API data. In a marketing/recommendation context, this can result in inaccurate or manipulated program comparisons, especially if adversarial users supply fabricated results or search snippets.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The registry content is materially inconsistent with the declared skill context: instead of a narrowly scoped affiliate-check skill, it defines a large Affitor skill suite with dozens of unrelated capabilities. This kind of manifest/registry mismatch can cause incorrect routing, unexpected tool exposure, and review bypass because operators may approve one skill while actually loading a much broader package.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This script performs repository promotion, publication, and marketing-content generation, which is unrelated to the skill's declared purpose of querying live affiliate program data. That scope mismatch is dangerous because users or agents invoking the skill may unknowingly trigger distribution or publishing workflows, increasing the risk of unintended external side effects, credential misuse, or repository changes.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The file automates GitHub topic edits, npm publishing, ClawHub syncing, and generation of promotional content and submission links, none of which are justified by the skill's stated lookup functionality. In a skill context, embedded publishing automation expands the trust boundary and can cause an agent or operator to perform outbound actions against third-party services using local credentials, which is a real security concern even if some steps are interactive.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The manifest declares a skill named "performance-report" that generates affiliate performance reports, but the provided skill context is for "affiliate-check," a live affiliate-program lookup tool. This identity/behavior mismatch can cause users or orchestrators to invoke the wrong capability, bypass trust assumptions, or load unintended instructions from a different skill directory, creating confusion and increasing the chance of unsafe tool use or policy evasion.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill explicitly pushes the model to produce 'immediately publishable' content, to write as if it has used the product, and to avoid AI-generation disclosure. That combination encourages fabrication of firsthand experience and deceptive commercial content, which can mislead readers and create legal, compliance, and reputational risk in affiliate marketing contexts.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file defines an affiliate blog content-generation agent, while the declared skill metadata describes a live affiliate-program lookup tool. This mismatch is dangerous because users, reviewers, or automated policy systems may grant trust, permissions, or deployment approval based on the advertised function, while the actual skill performs a materially different activity that can generate promotional content and drive external traffic using web tools.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill explicitly frames its purpose as recommending affiliate products on Reddit 'without getting banned or flagged as spam,' which is a direct attempt to evade platform moderation and detection. That makes the capability inherently deceptive: it is not just helping write content, but optimizing covert commercial promotion disguised as organic participation.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The text presents the posting as 'genuine value' and 'trust-building' while instructing the model to shape affiliate promotion so it appears native and non-marketing. This is dangerous because it operationalizes deceptive persuasion by masking promotional intent behind an authenticity narrative.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill goes beyond content drafting into campaign optimization: engagement strategy, timing, cross-posting, and scaling tactics. In this context, those features increase the reach and effectiveness of deceptive affiliate promotion, turning a single-post helper into a growth and amplification tool for spam-like activity.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file content identifies a different skill ('viral-post-writer') than the declared skill metadata ('affiliate-check'), which indicates a packaging or routing mismatch. In agent systems, this can cause the wrong instructions and tool permissions to be loaded, potentially exposing web-enabled capabilities or unrelated behavior where users expect only affiliate-data lookup functionality.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file contains detailed guidance for writing and optimizing affiliate social media posts, which is materially different from the stated skill purpose of live affiliate program lookup and comparison. That mismatch increases the risk that the skill is being used to facilitate promotional content generation outside its declared scope, undermining user trust and making it easier to smuggle high-risk marketing or policy-evasion guidance into an otherwise benign-looking skill.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file content is materially unrelated to the declared skill purpose of live affiliate-program lookup and comparison. This kind of scope mismatch is dangerous because it can cause the agent to surface persuasive social-marketing guidance instead of the requested data task, creating prompt-surface contamination, user deception, and unauthorized promotional behavior.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file defines a different skill ('bio-link-deployer') than the supplied skill metadata ('affiliate-check'), indicating manifest/context drift or packaging mismatch. In an agent skill ecosystem, this can cause reviewers and users to authorize or invoke a capability different from what they believe they are installing, which is dangerous because it undermines trust boundaries and can hide unexpected behavior or tool access.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The manifest describes a "landing-page-creator" skill, but the surrounding skill metadata provided for evaluation is for an unrelated "affiliate-check" skill. This kind of identity/purpose mismatch is dangerous because it can cause users, reviewers, or orchestration systems to invoke a skill under false assumptions, leading to unintended tool use, data handling, or policy bypass during execution.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill goes beyond merely generating a landing page and explicitly instructs users to build a lead-capture funnel that collects emails, redirects to affiliate offers, and drives traffic. That expansion increases abuse potential because it operationalizes affiliate-marketing workflows that can be used for deceptive lead generation, undisclosed promotions, or spam-oriented campaigns rather than simple page design.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The manifest advertises a compliance-checking skill that does not align with the surrounding affiliate-program research context, which indicates the skill may be miscategorized, misplaced, or wired to the wrong instructions. This kind of context mismatch can cause an agent to invoke the wrong capability, leading to incorrect trust decisions, policy bypass in workflow routing, or unintended handling of sensitive marketing/compliance tasks.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The declared skill package is for an affiliate-check capability, but this file implements a meta retrospective planner instead. That mismatch can cause the wrong skill to be selected or invoked, exposing users to unexpected behavior, incorrect tool routing, and policy/control bypass where downstream systems trust metadata more than actual behavior.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file advertises a 'competitor-spy' capability focused on reverse-engineering competitors, while the provided skill metadata describes a benign affiliate-program lookup tool backed by list.affitor.com. This mismatch is dangerous because it can conceal materially different behavior from reviewers and routing systems, enabling unauthorized reconnaissance under a trusted or unrelated skill identity.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The workflow instructs the agent to perform broad web search, web fetch, disclosure mining, income-report discovery, and content-gap analysis against third-party competitors, which goes far beyond the declared scope of affiliate data retrieval. In context, this expands the agent from a narrow data lookup tool into a reconnaissance capability that can be triggered under false pretenses, increasing the risk of policy bypass and misuse.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The title and core documentation clearly position the skill as 'Competitor Spy,' directly contradicting the surrounding manifest context that frames it as an affiliate-check utility. This deceptive presentation is dangerous because it indicates intentional repurposing or smuggling of a higher-risk capability into a lower-risk package, undermining trust, review, and authorization boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal