Security audit

superrare-deploy

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-aligned deployment helper that defaults to dry-run, with some credential-discovery and receipt-retention caveats users should understand.

Run the dry-run first and verify the chain, factory address, calldata, collection name, and symbol before using --broadcast. Install only if you are comfortable with the skill using an existing Bankr credential on the machine, and review receipt files before sharing them because they may include RPC URLs or deployment metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares executable shell-based behavior and external tooling requirements (`cast`, `jq`, `curl`) but does not declare corresponding permissions. That mismatch can undermine policy enforcement and user awareness, especially for a deployment skill that can submit transactions and interact with network/RPC endpoints.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The function searches multiple ambient sources for a Bankr API key, including user environment and several config files outside this skill’s directory, which broadens the trust boundary and can silently consume credentials the user did not intend to expose to this skill. In a deployment skill that can trigger real on-chain actions, implicit credential discovery is risky because it enables unintended account/API use without explicit consent or disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Sensitive credential retrieval happens silently, with no warning that the script will read BANKR_API_KEY from the environment, systemd user environment, or Bankr config files under the user’s home directory. This lack of transparency increases the chance of surprise credential use and undermines informed consent, especially for a skill that performs deployment-related operations against external services.

Session Persistence

Medium

Category: Rogue Agent
Content: - Dry-run is the default. Deployment only broadcasts with `--broadcast` or `DRY_RUN=0`. - Supported chains for RARE factory deployment are `mainnet`, `sepolia`, `base`, and `base-sepolia`. - If `--max-tokens` is omitted, the 2-argument factory call is used. - Successful broadcasts write receipts into `receipts/`. ## Bankr API key resolution
Confidence: 78% confidence
Finding: write receipts into `receipts/`. ## Bankr API key resolution 1. `BANKR_API_KEY` 2. `systemctl --user show-environment` 3. `~/.openclaw/skills/bankr/config.json` 4. `~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal