ClawHub

ProfitCore

Security checks across malware telemetry and agentic risk

Overview

ProfitCore is a text-only ROI planning skill with broad profit-focused instructions, but it does not include code, install hooks, credentials, hidden data access, or persistence.

Install this only if you want business or productivity decisions framed around ROI. Do not treat a GO recommendation as permission to spend money, post publicly, contact people, change accounts, or store sensitive business information unless you explicitly authorize that in your agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README describes the skill in broad terms such as finding opportunities, making decisions, executing efficiently, and learning over time, but provides no trigger boundaries, approval requirements, or operational limits. For an agent skill, this ambiguity is dangerous because downstream systems or users may interpret it as authorization for open-ended autonomous behavior, increasing the chance of unsafe actions or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes autonomous decision-making and action execution ('decides what’s worth doing' and 'executes efficiently') without warning about possible financial, system, or data consequences. In this context, the profit-maximizing framing makes the issue more dangerous because a poorly constrained agent may take harmful actions that optimize short-term ROI while ignoring safety, compliance, or user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal