Indigo DEX

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Cardano DEX helper with a privacy caveat around wallet balance lookups through Blockfrost.

Install only if you are comfortable using the configured SteelSwap, Iris, and Blockfrost MCP tools. Do not provide seed phrases, private keys, or wallet addresses you do not want queried through an external provider; treat swap estimates as informational, not transaction approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill explicitly offers wallet balance checks through Blockfrost, which requires users to supply a wallet address to an external service, but it does not disclose that this data leaves the local agent context. While wallet addresses are public on-chain, users may still reasonably expect privacy about which addresses they are querying, and undisclosed third-party transmission can create privacy and trust issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to send a user-provided Cardano wallet address to the external Blockfrost API, but it gives no privacy notice or consent step. Wallet addresses are pseudonymous rather than anonymous, and querying a third-party service can disclose user interest, wallet associations, and transaction-linked holdings to an external provider.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal