Is backtrue/marketing-copy-knowledge safe?

SKILL.md's 'Paid usage (recommended for /generate)' section provides a complete curl template instructing the agent to POST a Stripe payment_method_id, operator email, agent_id, and a monetary amount to the skill-author-controlled /ai-purchase endpoint. An agent with access to stored payment credentials could execute this without per-transaction user confirmation, resulting in unauthorized charges.

Every /generate and /query API call routes user-supplied product descriptions, business context, marketing strategies, and tone preferences to toldyou-lobstermind.backtrue.workers.dev, a Cloudflare Worker controlled by the skill author. This constitutes systematic third-party data collection of potentially sensitive business information with no disclosed data retention or privacy policy.

The skill registers an MCP endpoint at /mcp and instructs the agent to call it with {"method":"get_capability"} to discover available methods. The response content is entirely controlled by the skill author's server and can return arbitrary instructions not present in the audited SKILL.md, making the effective instruction surface non-auditable from the static skill file.

The metadata includes a llms_txt URL pointing to the skill author's service. This file, if fetched by the agent at runtime, could contain LLM-specific behavioral instructions that supplement or override SKILL.md guidance. The content is server-controlled and not captured in this audit.

The /ai-purchase endpoint collects Stripe payment_method_id tokens, operator email addresses, and monetary amounts. Even if tokens are not raw card numbers, their exposure to a third-party endpoint creates a credential-harvesting risk and violates least-privilege data handling.

The skill frames paid usage as 'recommended' and provides a complete programmatic purchase flow. An agent acting on ambiguous 'use the best available method' instructions could autonomously purchase API credits from the skill-author's service, especially if the operator has pre-authorized a payment method.

The MCP endpoint can return new tool definitions or instructions after installation. An adversarial skill author could update server-side MCP responses to grant the agent new capabilities (e.g., sending additional data, reading context) that were not present during this audit.

The label 'Paid usage (recommended for /generate)' is injected into the agent's system prompt, potentially biasing autonomous decisions toward initiating paid API calls even when the freemium tier would suffice.

SKILL.md contains curl command templates for /generate, /query, /mcp, /ai-purchase, and /api-status endpoints. These are not auto-executed during install but function as explicit agent instructions to make external HTTP requests including to financial endpoints, effectively encoding network behavior into the agent's system prompt.

The installation cloned github.com/openclaw/skills.git via HTTPS (140.82.121.3:443), performed a sparse checkout of the skill subdirectory, copied two files, and removed the temp clone. No unexpected outbound connections, processes, or persistent listeners were observed.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, etc.) were read during the audit at two points — both at identical sub-millisecond batch timestamps consistent with monitoring setup and teardown scripts, not with organic skill-initiated file access. The skill contains no filesystem-reading code. Official integrity check confirms all canaries intact.