Back to skill

Security audit

小O的赚钱工具箱

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed live-data monitor that calls a public UUMit API and references a logged-in ClawHub account, with no evidence of hidden exfiltration or destructive behavior.

Before installing, confirm you are comfortable with the skill contacting api.uumit.com from the frontend and with any use of the logged-in @cx75227-ops ClawHub account context. Avoid using it with private account data unless the API calls and browser credential behavior are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Transmission

Medium
Category
Data Exfiltration
Content
## 数据源

- **UUMit API**: `https://api.uumit.com/api/v1/digital-assets`
- **ClawHub**: 使用已登录的 `@cx75227-ops` 账户
- 网页前端直接通过UUMit公开API获取实时数据
Confidence
85% confidence
Finding
https://api.uumit.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.