Asrai Crypto Analysis (x402)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide the advertised paid crypto analysis, but it asks users to expose wallet and exchange secrets in unusually risky ways.

Review carefully before installing. Use only a dedicated low-balance wallet, do not put a primary private key in URLs or shared env files, avoid the remote URL form containing key=0x..., set a low ASRAI_MAX_SPEND, and only use read-only, IP-restricted exchange keys with trading and withdrawals disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: The documentation instructs users to place exchange API credentials into a general environment file for a skill primarily presented as market analysis, creating unnecessary exposure of highly sensitive account credentials. If the skill, host agent, logs, subprocesses, or other installed tools can read that environment, an attacker could exfiltrate account data or abuse keys, especially if the keys are not restricted to read-only access.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill manifest and top-level description frame the capability as Asrai crypto analysis, but the documented `positions` feature expands scope into accessing a user's live exchange account data via separate exchange API credentials. This is a real security-relevant mismatch because it can surprise users and hosts with access to sensitive financial account information not clearly disclosed in the primary metadata.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documented exchange endpoint materially expands the skill from passive market analysis into retrieval of live account and position data using exchange credentials. Exposing an interface that accepts or references API keys and secret keys increases the risk of credential misuse, overcollection of sensitive financial data, and unintended access to a user's trading account, especially because this capability is not necessary for the stated market-analysis purpose.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The README tells users to 'just ask your agent naturally' and says the agent will pick the right tool automatically, which encourages broad, implicit invocation of a paid and credentialed skill. In an agentic environment, vague natural-language routing can trigger unintended calls, causing unnecessary spending, disclosure of wallet-backed capabilities, or use of sensitive tools without deliberate user intent.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README instructs users to place a blockchain private key directly into ~/.env without any prominent warning about secret handling, wallet segregation, or fund risk. A private key gives direct control over funds, so normalizing this setup in a generic environment file materially increases the chance of theft through local compromise, accidental disclosure, logs, backups, or other tools reading the same environment.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The remote connection examples place the private key in the URL query string, which is extremely dangerous because URLs are commonly stored in browser history, proxy logs, server logs, analytics, referer headers, screenshots, and configuration files. Exposing a wallet private key this way can lead to immediate compromise of the associated funds and any services using that key.

Missing User Warnings

High

Confidence: 92% confidence
Finding: The exchange API key setup section asks users to place sensitive credentials in ~/.env but does not warn about secret exposure, required permission restrictions, or consequences of compromise. In agent environments, those credentials may be accessible to plugins, subprocesses, logs, or other skills, increasing the chance of unauthorized account access or misuse.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The invocation guidance is very broad and encourages use for common finance and investment questions, which increases the chance the agent triggers paid external calls when not strictly necessary. In the context of a wallet-backed pay-per-call skill, overbroad routing can cause unnecessary spending and unintended disclosure of user queries to an external service.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs users to place a wallet private key in an environment variable so payments can be signed automatically, but it does not present a strong warning about the sensitivity of that key or the financial authorization it grants. In a crypto context, mishandling a private key can lead to irreversible loss of funds, making this materially dangerous.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The `positions` feature requests exchange API credentials via environment variables without clear warnings about their sensitivity or the account access they enable. Exchange API keys can expose trading data and, depending on permissions, may enable account actions; storing them casually in local env files raises the risk of theft, misuse, or accidental overprivilege.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation normalizes use of API keys and secret keys for exchange access without any warning about their sensitivity, storage, logging, or privacy impact. Including secrets in a URL path is especially dangerous because URLs are commonly logged by clients, proxies, servers, and telemetry systems, which can leak exchange credentials and expose account data or enable unauthorized actions depending on key permissions.

VirusTotal

No VirusTotal findings

View on VirusTotal