Worth It — Agent Profitability Tracker

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a disclosed local ROI logger, with the main caution that matching value commands will be sent to a local service if one is running.

Install only if you intend your agent to log matching $saved, $earned, $time, and $cost messages. Confirm that localhost:3002 is a trusted Worth It service before using it, and avoid putting confidential client or financial details in descriptions unless you understand how that service stores and exports the data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs agents to detect command-like content in user messages and automatically POST the parsed data to a local HTTP API, but it provides no user notice, consent flow, authentication guidance, or transport-security considerations. Even though the endpoint is localhost, this still causes agent-mediated transmission of user-provided content to another service, which can expose sensitive business, financial, or project data to unintended local consumers or insecure downstream integrations.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal