ClawHub
Back to skill

Security audit

Whop Digital Sales

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive, but it can make live public changes to a Whop business account using a sensitive Company API key without strong safeguards.

Install only if you intend an agent to create real Whop products, pricing plans, and checkout links in your account. Use a narrowly scoped Whop key if available, keep it in the secret manager, review the hardcoded product names/prices first, and run it only when you are ready for live account changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes use of environment secrets and outbound network access to a live payment platform, but the skill declares no permissions. This creates a transparency and governance gap: users or orchestration systems may not understand that the skill can access a sensitive API key and perform live remote actions against commerce resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The run instructions tell the operator to execute scripts that create products and generate checkout links, but they do not clearly warn that these actions affect a live Whop account. That omission can lead to unintended product publication, billing setup, or payment-link creation in production, especially in an agentic environment where commands may be run with minimal review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the user to store a Company API key but does not explain that this credential can authorize sensitive account-level operations such as creating products, plans, and checkout links. Without clear sensitivity warnings and handling guidance, users may expose or overuse a high-value secret, increasing the risk of unauthorized commercial actions on their Whop account.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal