Payout Possum

Security checks across malware telemetry and agentic risk

Overview

This is a coherent money-recovery helper, but users should limit the personal financial history they share and use optional Gmail review carefully.

Install only if you are comfortable using an agent to organize sensitive money-recovery searches. Provide the minimum details needed for each category, avoid full SSNs, full account numbers, or identity documents unless an official verified claims process requires them, and enable Gmail coverage only for targeted read-only review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs collection of extensive identity, address, employment, financial-account history, and optional Gmail evidence review, but it does not present a clear privacy notice, data-minimization guidance, retention limits, or consent language proportional to the sensitivity of that information. In this context, the skill is designed to help locate funds, so some sensitive data is relevant, but the breadth of requested data and inbox access increases privacy and misuse risk if users overshare or if downstream tools handle the data insecurely.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal