Passive Income Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed passive-income monitoring guide with privacy-sensitive configuration and alerting options, but no evidence of hidden or destructive behavior.

Install only if you trust the source of any referenced scripts, use read-only or least-privilege API keys, never provide seed phrases or private keys, secure the local config and earnings files, and send webhook alerts only to private HTTPS endpoints you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports webhook alerts to third-party endpoints but does not clearly warn that alert contents and monitoring metadata may be transmitted off-host. In a finance/crypto monitoring context, even seemingly low-sensitivity data such as node names, earnings drops, wallet-linked stream labels, or outage timing can expose operational and financial information to external services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal