Money Saving Tips

Security checks across malware telemetry and agentic risk

Overview

This is a text-only money-saving skill with some broader local deal-planning language, but it does not run code, request permissions, or handle private data.

Before installing, understand that the skill may answer savings questions using local outing details such as distance, queues, parking, reviews, and discounts. Verify live offers, wait times, and navigation details before spending money or traveling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata claims household bill optimization and money-saving advice, but the body describes location-based discovery, queue status, reservations, parking, and community venue content. This mismatch can cause the agent to invoke the skill in the wrong contexts, misleading users and potentially causing unnecessary collection or use of location-adjacent, outing-related data outside the user’s expected purpose.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger examples are extremely broad and generic, which increases the chance that the agent will route unrelated user requests into this skill. Overbroad invocation language can lead to unintended activation, user confusion, and exposure of contextual data to a skill that was not clearly requested for the task at hand.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal