Security audit
CashMachine Bounty Hunter
Security checks across malware telemetry and agentic risk
Overview
This skill is not clearly malicious, but it proposes autonomous GitHub bounty work that can publish PRs, handle reviews, and send payout-related claims without enough stated limits or approvals.
Review before installing. Use only with a narrowly scoped GitHub token or test account, require manual approval before every fork, PR, comment, review response, or payout claim, and run generated fixes in a sandboxed temporary clone with human review before publication.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.
