Security audit

Passive Income Tracker

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only income tracking skill with an optional webhook setting; the main consideration is protecting any revenue data you choose to provide.

Install only if you are comfortable entering income and revenue details into the skill. If you configure the webhook, use an HTTPS endpoint you control or trust, review what data is being sent, and avoid including unnecessary financial or account details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly supports a user-supplied webhook for sending income tracking data to an external endpoint, but it does not warn users that financial or behavioral data may be transmitted off-platform. In a finance-related context, silent external sharing increases privacy and data-handling risk because users may not realize their revenue metrics, dates, or source details are leaving the local/product boundary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal