Earnings Tracker

Security checks across malware telemetry and agentic risk

Overview

This looks like a non-malicious earnings tracker, but its documentation does not match the shipped code and it writes results to a hard-coded local OpenClaw memory path.

Review this skill before installing. Use the Python command from package.json rather than the documented Node command, do not expect US-market tracking or Discord/Telegram alerts to work, and change or remove the hard-coded output path before running it in your own OpenClaw environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: A documented behavior mismatch is a real security concern because users may grant trust based on the stated purpose while the implementation performs additional or different actions, such as local file writes and incomplete/undocumented data flows. Even if not overtly malicious, this undermines informed consent and can conceal privacy, integrity, or operational risks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises outbound pushes to Discord and Telegram without disclosing what data is transmitted, to whom, or the privacy implications of sending potentially sensitive watchlists or generated summaries to third-party platforms. Lack of transparency around external transmission can lead to unintended data exposure and unsafe deployment in regulated or private environments.

VirusTotal

No VirusTotal findings

View on VirusTotal