Money Maker Hand

Security checks across malware telemetry and agentic risk

Overview

This prompt-only skill is a disclosed money-opportunity research and planning assistant, with the main caveat that it stores income-tracking state.

Install only if you are comfortable with the assistant storing income goals, progress, reports, and opportunity history. Review generated plans before acting on them, and inspect or clear income_database.json and money_maker_state if you no longer want that information retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill includes broad natural-language activation examples such as requests to generate weekly money-making reports or plan earning goals. In a prompt-driven runtime, these phrases can overlap with ordinary user conversation and may cause the skill to activate unexpectedly, leading it to perform research, state updates, or reporting without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly describes persistent writes to local files and memory state, including updates to `income_database.json` and `money_maker_state`, but does not clearly warn the user that local data will be modified. This is risky because a user may invoke what appears to be a reporting or planning skill without realizing it will change stored state, potentially overwriting data or creating misleading records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal