Researcher Alpha Copilot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto research tool with an expected SkillPay billing hook for successful ranking runs.

Install only if you intend to use a paid crypto research copilot. Provide SKILLPAY_APIKEY only for paid runs, use --skip-billing or SKILLPAY_BILLING_MODE=noop for testing, and avoid sharing proxy-check output if proxy URLs may reveal sensitive network details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: This code performs live charge requests to an external billing provider, which is a financially sensitive side effect. In the context of a crypto research/copilot skill, embedding payment execution increases risk because misuse, prompt-triggered invocation, or weak upstream authorization could cause unauthorized charges or abuse of a privileged operational capability.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The billing request transmits user_ref, amount, call_name, and idempotency metadata to an external service, but the code shows no notice, consent check, or minimization of user-linked data. Even if expected for payment processing, undisclosed outbound transfer of billing and user identifiers can create privacy, compliance, and trust issues, especially in an agent skill that users may perceive as purely analytical.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal