Earn Hunter

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent OKX Earn monitor, but it combines persistent scheduling, external notifications, and financially significant subscription guidance with a few under-scoped safety boundaries.

Install only if you want persistent live OKX Earn monitoring and are comfortable with scheduled background scans, local files under ~/.okx/earn-hunter, and possible Telegram/Lark delivery. Use least-privilege OKX credentials, protect Telegram/Lark secrets, inspect the cron or LaunchAgent entry, and require a fresh explicit confirmation before any transfer, redemption, or subscription.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The skill reads Telegram and Lark notification credentials from environment variables and uses them for outbound messaging, but that capability is not fully surfaced in the manifest description. Even though it does not instruct printing secrets, undisclosed secret consumption plus network delivery increases risk and can surprise users in sensitive environments.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill description suggests monitoring and guidance, but the body performs software installation and establishes persistent scheduling on the host. That mismatch is risky because users invoking a finance-monitoring skill may not expect package installation, cron modification, or LaunchAgent creation.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The guide materially expands a monitoring/notification skill into operational guidance for fund movement and subscription execution. Even if the final purchase is handed off, the documented flow includes transfer and redeem steps plus pre-filled direct CLI commands, which can cause the agent to facilitate real financial transactions beyond the user's likely expectation for a passive monitoring skill.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation states the skill does not directly execute write operations, but later instructs transfer and redeem commands that are themselves write actions. This contradiction undermines user trust and safety controls because operators or downstream agents may incorrectly treat the skill as read-only while it still performs state-changing financial operations.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The file states that scanning behavior is implemented by a shell script and should not be hand-executed, but later sections instruct the AI to directly read and modify config/state files. That inconsistency creates a dangerous implementation gap: an agent may bypass the intended isolated script and perform local file operations itself, expanding privilege and making behavior less auditable.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document again claims the script implements the logic, but the cleanup and sequence sections explicitly tell the AI to manipulate persistent local files. This is a real security issue because it encourages the agent to act as a file-mutating runtime rather than a constrained wrapper around a reviewed script, increasing risk of unintended state corruption or abuse.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script lets platform.json choose the names of environment variables to read via printenv, so anyone who can modify that config can cause the process to access arbitrary environment variables. In an agent or cron environment, this can expose unrelated secrets or reroute notifications using attacker-controlled values, creating a configuration-driven secret exfiltration primitive.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script sources env.snapshot as shell code before doing any work, which means any attacker who can write that file gets arbitrary command execution in the context of the scan job. Because the file path is influenced by EH_STATE_DIR and the script may run from cron with access to API-related environment and filesystem state, this is a direct code execution risk.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The template embeds a hard-coded OKX deep/referral link together with urgent CTA language such as immediate subscription and first-come-first-served framing. This goes beyond neutral monitoring into steering user financial action, creating a conflict-of-interest risk and enabling undisclosed affiliate promotion or dark-pattern behavior if users trust the agent's alerts as impartial.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases include broad everyday language like 'notify me about earn' and '定时检查理财', increasing the chance of accidental activation. Because activation can lead to installs, config writes, and scheduler persistence, overbroad routing materially raises the chance of unintended privileged actions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Pause triggers such as '暂停' and 'stop' are overly generic and can collide with ordinary conversation. This could disable monitoring unexpectedly, reducing reliability and potentially suppressing expected alerts without the user intending to modify the scheduler.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Broad triggers like generic purchase phrases can activate a sensitive financial workflow from ordinary conversation, especially after a notification context. In a skill that can route users toward transfers, redemptions, and purchases, accidental activation increases the risk of unintended transaction assistance and confusing consent boundaries.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The spec authorizes direct reads and writes to user-local config and state under `~/.okx/earn-hunter/` without any explicit user-facing disclosure or consent boundary. In an agent setting, silent modification of local files is security-relevant because it can persist behavior, alter notifications, or corrupt user state without the user understanding that the skill writes to disk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The spec performs exchange API queries and may send notifications to external channels, but it does not clearly warn that account-related data, opportunity details, and possibly error conditions will be transmitted. In a security review, undisclosed outbound network and notification behavior is risky because it can leak financial activity patterns or credentials-related status to third parties.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to copy a script into their home directory, make it executable, and install a cron job, but it does not clearly warn that this creates persistent local system changes. Even if intended for legitimate automation, silent persistence and filesystem modification can surprise users and increase risk if the script is later altered or misunderstood.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The file states that notifications are sent via curl to Telegram/Lark but does not disclose what data leaves the host or that external network transmission occurs. In a finance-related monitoring skill, outbound notifications can expose account-related opportunity data, timing, and possibly user-specific metadata to third-party services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template tells users to reply with a subscription amount and states the agent will proceed to a purchase-guide flow, but it does not clearly warn that providing an amount may initiate a financially significant action. In a trading/earn context, this can cause users to misunderstand a simple reply as harmless chat input, increasing the risk of unintended fund commitment or socially engineered purchases.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Lark Webhook Setup 1. "Create a custom bot in a Lark group → get the webhook URL" 2. "Save it to config:" Read `~/.okx/earn-hunter/platform.json` → set `.notify.lark_webhook` to the webhook URL → write back.
Confidence: 84% confidence
Finding: Create a custom bot in a Lark group → get the webhook URL" 2. "Save it to config:" Read `~/.okx/earn-hunter/platform.json` → set `.notify.lark_webhook` to the webhook URL → write back. ## Smoke Te

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal