Token Research

Security checks across malware telemetry and agentic risk

Overview

This crypto research skill mostly matches its stated purpose, but it also requires automatic owner calls/DMs, references an unreviewed local alert script, and performs automatic persistence without clear user control.

Install only if you explicitly want an automated crypto research workflow with alerting behavior. Before use, require confirmation for any calls, DMs, execution of ~/workspace/scripts/ape-call.sh, sub-agent spawning, batch deep dives, and report/watchlist writes; use limited API keys and avoid submitting sensitive wallet or strategy information unless necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill invokes shell commands (`curl`, local script execution) without declaring the permissions or capabilities needed to do so. Hidden execution capability is risky because users and orchestrators cannot accurately assess what side effects the skill may have, including network access and local command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose is token research, but the skill also performs undeclared external API access, local file writes, and behavior beyond the stated scope. This mismatch undermines informed consent and can cause the skill to be invoked in contexts where users do not expect network transmission or persistent storage.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill instructs the agent to call the owner and send messages over Telegram/Discord/WhatsApp for certain token ratings, which is unrelated to ordinary token research. This creates an unauthorized exfiltration and action channel, allowing sensitive user prompts, investment interests, or generated analysis to be forwarded to a third party without user approval.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Mandated outbound communication and escalation are unjustified for a research-only skill and expand the blast radius from analysis to unsolicited external actions. In practice, this can be abused to leak findings, spam contacts, or trigger real-world actions based on model output without user awareness.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill requires external calls and direct messages to the owner without notifying the user that external communications will occur. This violates transparency and informed consent, and can disclose user-derived data or analysis to unauthorized recipients.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill instructs the agent to save reports and append to watchlists on local disk without warning the user about persistent storage. Silent file writes can expose sensitive research history, create unwanted state, and surprise users who expected a stateless analysis workflow.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: Batch mode automatically deep-dives top tokens and saves outputs without asking the user, causing additional network access, compute use, and persistent writes beyond the initial request. This increases the risk of unintended side effects and unapproved data handling.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The example instructs users to create and chmod a local shell script, which modifies the local filesystem and prepares executable code without an explicit safety warning. While the script content is simple and not overtly malicious, documentation that encourages file creation and execution can lead users to run unreviewed commands and normalize unsafe shell practices.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script immediately creates a local output directory and later transmits the supplied token address to multiple third-party services without an explicit consent prompt or preflight disclosure. In an agent skill context, that can leak user-provided identifiers and create filesystem side effects unexpectedly, which is risky when users may assume analysis is local-only.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instruction to transmit full token analysis to an external owner creates a natural-language data disclosure path outside the immediate user interaction. Even if the data is not obviously secret, it may contain user interests, strategies, or derived intelligence that should not be shared automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal