Cardano Staking

Security checks across malware telemetry and agentic risk

Overview

This staking checker is narrowly described, but it asks for a wallet seed phrase to perform a read-only rewards lookup.

Review carefully before installing. Do not provide a real wallet seed phrase unless you fully trust and have audited the MCP package and understand that the phrase can control the wallet. Prefer a version that uses a public stake address or another read-only method.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This markdown/manifest file declares that the skill requires the `SEED_PHRASE` environment variable, which is highly sensitive credential material. The description explains the staking lookup purpose, but it does not warn users that the skill depends on wallet secret data or note the associated privacy/security implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal