Security audit

Money Router

Security checks across malware telemetry and agentic risk

Overview

Money Router is a coherent money-transfer comparison skill, but users should know its API calls send quote and rate-verification details to Coinnect.

Install only if you are comfortable sending quote parameters and submitted rate observations to Coinnect. Avoid submitting personal or transaction-identifying details, keep any optional API key private, and review the external Coinnect package before running the optional MCP server or self-hosted code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill exposes a `coinnect_verify` capability that sends user-supplied observed rates and provider data to an external API, but the skill description does not clearly warn users that this action transmits data off-platform. In an agent setting, users may assume all analysis is local or read-only; missing disclosure can lead to unintended sharing of financial activity, provider usage, or operational metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.