Para Wallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill appears coherent and not malicious, but it gives agents high-impact blockchain signing capability without enough built-in safety guidance.

Install only if you intentionally want an agent to create Para wallets and request wallet signatures. Use beta or test environments first, protect PARA_API_KEY as a secret, and require explicit human approval after decoding and checking every transaction or message before any sign-raw request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes a raw signing capability and describes signing serialized transactions and message hashes without prominently warning that these signatures can authorize irreversible on-chain actions. In an agent context, this increases the risk of users or downstream systems treating signing as harmless data processing, leading to unintended asset transfers or approvals.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to export and send a secret API key but does not warn about exposure through shell history, terminal transcripts, CI logs, screenshots, or shared debugging output. In agent and automation environments, such omissions materially raise the chance of credential leakage and unauthorized wallet creation or signing requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal