Whop Digital Store

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Whop store automation, but it asks for a live API key and describes product creation and affiliate payouts without clear safeguards.

Install only if you intend to let an agent help manage a real Whop business account. Store WHOP_API_KEY only in a secure settings or secrets store, do not commit it to files, and require explicit confirmation or sandbox testing before creating products, delivering licenses, or paying affiliates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to store a `WHOP_API_KEY` and automate product creation, license delivery, and affiliate payouts, but it does not warn about the sensitivity of the credential or the risks of triggering real external actions. This can lead users to expose API keys, run unintended financial or account-modifying operations, or deploy the skill without understanding the consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal