Back to skill

Security audit

CashMachine Bounty Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it proposes autonomous GitHub bounty work that can publish PRs, handle reviews, and send payout-related claims without enough stated limits or approvals.

Review before installing. Use only with a narrowly scoped GitHub token or test account, require manual approval before every fork, PR, comment, review response, or payout claim, and run generated fixes in a sandboxed temporary clone with human review before publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.