ClawHub

Card Optimizer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only credit card rewards helper with local storage of card and spending estimates, and its sensitive behavior is disclosed and purpose-aligned.

Safe to install if you want a local rewards optimizer. Keep cards.json limited to card names, reward rules, and rough category spending estimates; do not store card numbers, bank logins, statements, or other credentials. Only enable quarterly reminders if you know where they are configured and how to disable them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s trigger examples are broad enough that ordinary purchase-related conversation could unintentionally activate card-selection behavior. This can cause the agent to shift into financial-advice and data-handling flows without clear user intent, increasing the chance of unwanted recommendations or unnecessary collection/use of spending and card data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The fuzzy category matching accepts highly generic phrases like 'food', 'ride', 'subscription', and 'general', which are common in normal conversation and may be interpreted as card-optimization requests without sufficient context. In a financial skill, this overbroad matching increases the risk of accidental activation, misclassification of user intent, and inappropriate recommendations based on incomplete or ambiguous inputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal