Back to skill

Security audit

Tyrpay Buyer Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TyrPay buyer payment skill, but it gives an agent wallet-based payment authority without clear spending caps or human approval gates.

Review before installing. Use this only if you intentionally want an agent to manage TyrPay buyer payments. Configure a dedicated low-balance wallet, pin and verify the external packages, check the settlement contract and chain, and require human confirmation plus per-transaction and total spending limits before any funding action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs an agent to create and fund payment tasks, monitor settlement, and request refunds, but it does not explicitly warn that funding can lock real assets until settlement or timeout conditions are met. In an agent setting, this omission increases the risk of unintended financial actions because operators or downstream users may treat the workflow as routine task orchestration rather than a funds-locking payment flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.