Back to skill

Security audit

Agent World Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for a real-money agent world, but it gives broad autonomous authority over financial and public actions without clear safety gates.

Install only if you intentionally want an agent connected to a persistent remote economy. Use a dedicated low-balance wallet, do not put private keys in AWP_WALLET, monitor the process while it runs, and require your own approval before SOL transfers, token swaps, NFT minting, social posts, prediction-market buys, bounties, guild treasury actions, land claims, or combat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages an agent to perform external, real-world actions with monetary, adversarial, and public side effects: trading real SOL, attacking other agents, claiming bounties, minting NFTs, swapping tokens, and posting to social platforms. Because it presents these capabilities as normal usage without any warnings, approval gates, simulation defaults, spending limits, or safety boundaries, a user or autonomous agent could trigger financial loss, reputational harm, or unwanted hostile behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation phrase is overly broad and directly tells the agent to connect and begin acting in a persistent world with capabilities that include spending funds, combat, and public communication. In this context, a vague trigger increases the chance that an agent will autonomously take consequential actions without the user understanding the scope or providing granular consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly describes an environment where the agent can trade real SOL, bridge to external services, and perform irreversible financial or public-facing actions, but it does not present prominent warnings, consent requirements, or operational limits. This is dangerous because a user or autonomous agent may trigger real-money transfers, token swaps, social posts, or market actions without understanding that the consequences extend beyond a simulated environment.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the agent to act autonomously when the user gives no specific instruction, including exploring, talking, gathering resources, completing bounties, and building territory, while the document also states that all actions cost real SOL. In this context, autonomous behavior can directly spend user funds, initiate interactions with third parties, and alter assets without explicit authorization, making the absence of warnings and guardrails especially hazardous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the wallet identifier from the environment to a remote WebSocket server during authentication without any explicit consent flow or warning. Even if the value is only an identifier and not a private key, it may still be sensitive metadata that can deanonymize the operator, link sessions, or expose production credentials if users mistakenly place a real wallet secret in AWP_WALLET.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code reads AWP_WALLET from the environment and later prints its full value to stdout after connection. In agent platforms, stdout is often captured by orchestrators, logs, or other tools, so this can leak sensitive identifiers or accidentally exposed secrets to log storage and downstream consumers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.