Token Risk Explainer

Security checks across malware telemetry and agentic risk

Overview

This skill performs token-risk analysis as described, but normal analysis commands can also trigger third-party payment charges without a clear per-run confirmation step.

Install only if you intentionally want a SkillPay-billed token-risk tool. Before use, confirm the price, who controls SKILLPAY_APIKEY, what user_ref is sent, and whether your agent will require explicit approval or always pass --skip-billing for non-billable runs. Token queries are also sent to Binance Web3 or a configured replacement endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill declares no permissions even though its documented behavior and detected capabilities require environment access, file reads, and likely network access. This is dangerous because reviewers and users cannot accurately assess what the skill can touch, which weakens consent, sandboxing, and policy enforcement around secrets and outbound data flows.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill is presented as a token-risk explainer, but the documented behavior includes charging users via a third-party billing service and sending billing metadata externally. This mismatch is dangerous because users may invoke an analysis skill without realizing it triggers payment-related actions or external data sharing, creating consent, privacy, and trust issues.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements real payment-charging behavior, including authenticated requests to an external billing provider, retries, and idempotency handling, even though the declared skill is only for token-risk explanation. That mismatch materially increases risk because the skill can trigger financial side effects unrelated to user-visible purpose, enabling unauthorized or surprising charges if invoked by the surrounding agent workflow.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The module contains payment-processing logic not justified by the stated scope of a risk-explainer skill. Hidden or non-obvious monetization paths are dangerous in agent environments because tool invocation may occur automatically, turning a content-analysis skill into one that can create external financial transactions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill performs billing as part of normal execution for explain/compare/watchlist operations, which is functionality outside the core risk-explainer purpose and can trigger a financial side effect without any in-file consent flow. In an agent setting, hidden or implicit charging is dangerous because a user may believe they are only requesting analysis while the tool also initiates a billable network action tied to their user reference.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The invocation description is broad enough to match common requests about token risk, watchlists, comparisons, and community copy, which can cause the skill to trigger in situations where the user did not clearly request this specific tool. In a skill that may read files, use environment secrets, access the network, and bill for some commands, overbroad activation increases the chance of unintended execution and unexpected charges or disclosures.

Natural-Language Policy Violations

Medium

Confidence: 69% confidence
Finding: The skill metadata emphasizes Chinese and English output without clearly stating that language is user-selectable, which can lead to outputs being generated in an unintended language. By itself this is not a severe security flaw, but in risk communications it can cause misunderstanding, accidental disclosure to broader audiences, or poor user experience if sensitive analysis is shared in the wrong language.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The billing request sends user_ref, amount, call_name, idempotency_key, and timestamp to an external service without any evidence in this code of user notice, consent, minimization, or policy enforcement. In the context of a token-risk explainer, that makes the behavior more suspicious because users would not reasonably expect their identifiers and usage metadata to be transmitted to a payment processor as part of analysis.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code charges via the billing client using user_ref with no explicit user-facing warning, acknowledgement, or confirmation in this file. In an automated assistant workflow, this can produce unauthorized or surprising financial transactions, especially when calls are triggered indirectly by another agent or UI that presents the skill as informational rather than transactional.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal