CardPointers

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward CardPointers CLI guide that can access your card wallet and offers after login, with no hidden automation or unsafe behavior evident.

Install only if you trust the CardPointers CLI/Homebrew tap and are comfortable letting an agent query your CardPointers wallet, offers, profiles, and recommendations. Treat ~/.cardpointers/config as a secret, keep CARDPOINTERS_API pointed at the official endpoint unless you intentionally trust another server, and use cardpointers logout when you no longer want the token stored locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents that a JWT token is stored at ~/.cardpointers/config but does not warn that this file contains sensitive credentials. In an agent environment, documenting credential storage without caution can increase the chance of accidental disclosure, mishandling, or unsafe file access by users or downstream tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal