Back to skill

Security audit

Gotchi Pocket

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it manages Aavegotchi pocket wallet transfers through Bankr, but users should treat it as real asset-moving wallet automation.

Install only if you want an agent to manage Aavegotchi pocket token transfers through Bankr. Keep BANKR_API_KEY private, verify gotchi ID, token, amount, recipient, owner, and pocket address before any transaction, and avoid SKIP_BANKR_OWNER_CHECK=1 unless you have independently confirmed the action is safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell-based scripts and external binaries (`cast`, `jq`, `curl`, `python3`) but does not declare corresponding permissions or execution scope. This creates a trust and review gap: an agent or platform may treat the skill as lower risk than it really is, while the skill can still perform network calls, parse untrusted input, and initiate wallet-affecting operations via shell tooling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The helper automatically searches multiple unrelated local locations and the user systemd environment for a Bankr API key, which expands the skill's access beyond the declared task of pocket-wallet management. This creates an implicit credential-harvesting behavior: the skill can silently appropriate existing credentials and use them for authenticated actions without explicit user consent or scoping.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads a sensitive Bankr API key from environment/config automatically and provides no visible disclosure that credentials will be consumed. In an agent skill context, silent credential use is risky because users may trigger networked wallet actions without realizing the skill is authenticating as them.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The function sends authenticated requests to an external Bankr endpoint with the X-API-Key header, but there is no user-visible warning that credentials are being transmitted off-host. Even over HTTPS, undisclosed credential transmission increases the chance of unintended authenticated actions and reduces user control over sensitive operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wallet-lookup helper makes an authenticated prompt request to Bankr to retrieve the user's wallet address, again without explicit notice or consent. In this skill context, that means merely checking ownership can silently disclose account-linked information to a third-party service and trigger authenticated remote processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script submits an on-chain token transfer through Bankr immediately after computing calldata, without any explicit confirmation prompt, dry-run, or opt-in safety gate. In a wallet-management skill, that increases the chance of unintended asset movement from ambiguous user input, automation mistakes, or prompt-injection-driven invocation, especially because deposits are irreversible once broadcast.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.