Back to skill

Security audit

Revenue Coder

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill, but it asks an agent to autonomously build, test, post, and deploy revenue automation without clear approval limits.

Review before installing. Use only in a sandbox or staging repository, disable autonomous live deployment and external posting unless explicitly approved, replace any example affiliate identifiers with your own, and require confirmation before exec commands, GitHub pushes, scraping, public posting, or deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad, colloquial phrases like "revenue code," "profit script," and especially "build money printer," which can match loosely framed user requests and invoke a highly capable autonomous coding/deployment skill unintentionally. In this context, accidental invocation is more dangerous because the skill is explicitly designed to generate, test, deploy, and iterate on monetization code, increasing the chance of abuse or unauthorized automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises autonomous generation of scrapers, auto-posters, bounty solvers, self-testing, and deployment to GitHub/live targets, but it does not clearly warn users that it can execute code and perform deployment actions. That omission is dangerous because users may invoke it without understanding that it can create and operationalize monetization infrastructure, including potentially abusive scraping or posting workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.