Security audit

Cashclaw Landing Page

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned and clean, with the main caveat that generated pages may load Google Fonts from a third party.

Install is reasonable for normal use. For privacy-sensitive or offline deployments, replace Google Fonts with a system font stack or self-hosted fonts, and review generated HTML for any other external CDN assets before sharing it publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Requiring Google Fonts introduces third-party network requests from the generated landing page, which can disclose visitor IP addresses, user agents, referrers, and timing metadata to Google without notice or consent handling. In privacy-sensitive deployments, this can create compliance and data-sharing issues, especially if clients assume the page is otherwise self-contained and minimal-dependency.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal