ClawHub

Jarvis Money Maker

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only monetization guide, but it gives broad automation and plaintext credential-storage advice that users should review carefully before installing.

Install only if you intentionally want a monetization workflow guide and are prepared to keep every external action under manual control. Do not let an agent post, upvote, submit tasks, publish skills, or use accounts without specific approval. Avoid plaintext credential files; use a secret manager or scoped environment variables, enable MFA, and use low-privilege dedicated accounts where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to activate on generic 'make money' requests, which can cause the agent to apply monetization workflows outside a clearly scoped, user-safe context. In a security-sensitive agent ecosystem, overly broad invocation increases the chance of unintended actions, spammy behavior, or guidance that touches regulated or risky financial activity without adequate safeguards.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The quick-start guidance tells users to register platforms and set up credentials but provides no warning about secret handling, least privilege, or the risks of sharing tokens with agents and local tooling. This omission can lead users to expose API keys or account access in unsafe ways, especially because the skill encourages automation across multiple external services.

Missing User Warnings

High
Confidence
98% confidence
Finding
Advising users to store credentials in `credentials/*.json` directly encourages keeping secrets in plaintext local files, which are commonly leaked through source control, backups, logs, or other agent/tool access. In this skill's context, the risk is elevated because it promotes multi-platform automation, increasing both the number of credentials stored and the blast radius if they are compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal