Jubilee Skill, By Jubilee Labs

Security checks across malware telemetry and agentic risk

Overview

This treasury skill is purpose-aligned but needs Review because it can move real crypto funds with a raw wallet key and lacks clear transaction safeguards or reviewed implementation code.

Install only if you are prepared to treat it as a high-risk financial tool. Use a new low-balance wallet, avoid main wallets, verify every contract and recipient, require manual approval for every transaction, avoid automated donation jobs until the code is reviewed, and do not run war-room in repositories containing secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The skill embeds explicit religious directives such as using yield for 'Kingdom purposes' and closes with devotional messaging, which can steer agent behavior toward a sectarian mission without any user opt-in or policy boundary. In a treasury-management skill that influences financial decisions and donations, this framing is more dangerous because it can bias allocation choices and charitable transfers in ways unrelated to the user's stated goals.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal