Etherscan

Security checks across malware telemetry and agentic risk

Overview

This read-only Etherscan helper is coherent with its purpose, though users should treat API keys and wallet lookups as sensitive.

Install only if you are comfortable sending Etherscan API requests for the addresses, transactions, and contracts you ask about. Prefer an environment variable or secure secret store for the API key when possible, avoid logging or sharing full request URLs containing apikey values, and remember that wallet lookups can reveal financial metadata to Etherscan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to obtain an API key from local files or environment variables and to send it as a query parameter to a third-party service, but it does not require explicit user consent or warn that the credential will be transmitted off-host. It also recommends persisting the key on disk, increasing the chance of accidental disclosure or reuse beyond the current task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal