Axon Agent

Security checks across malware telemetry and agentic risk

Overview

This skill performs high-impact Axon wallet and daemon operations, but those behaviors are disclosed, coherent with the skill's purpose, and not supported by evidence of hidden or malicious activity.

Install only if you intend to operate an Axon agent. Use a dedicated low-balance wallet, keep the key file outside shared repos with restrictive permissions, run the dry run first, verify the chain/RPC/registry, review or pin the external Axon daemon source before giving it a key, and know how to stop the daemon and remove the watchdog cron.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to pass a private key file directly into blockchain registration and status-checking scripts, but it does not include any warning about secure storage, file permissions, accidental shell-history exposure, or the risk of credential theft. In a wallet/blockchain context, mishandling a private key can lead to irreversible loss of funds and unauthorized on-chain actions, so documenting this workflow without explicit safety guidance is a meaningful security issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal