Security audit

Popeye Money

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language personal finance guidance skill with no executable code, account access, persistence, or hidden data movement.

Install only if you are comfortable using a Chinese-language personal finance helper. Share category totals instead of raw bank statements when possible, remove account numbers, card numbers, addresses, employer details, and exact merchant identifiers, and treat the investment section as educational guidance rather than professional financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The module is written entirely in Chinese and does not provide a language-choice mechanism or fallback, which can exclude users who cannot read Chinese and may cause misunderstanding of important financial risk disclosures. In an investing skill, comprehension matters because users could miss suitability guidance or warnings, making the issue more significant than in purely cosmetic content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.