Erc8004 Reputation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ERC-8004 reputation skill, but write commands use wallet credentials to send real blockchain transactions.

Install is reasonable if you want ERC-8004 reputation tooling. Use read-only commands freely; for give or revoke, use a dedicated low-balance wallet, verify the chain, agent ID, target contract, tags, and gas estimate, and avoid putting a main wallet mnemonic or private key in shared shells, logs, CI, or long-lived agent environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill documentation indicates capabilities to read environment variables and access the network, but it does not declare those permissions explicitly. That weakens transparency and consent, especially because the skill handles wallet credentials and performs external/API and blockchain interactions. In a wallet-enabled skill, undeclared env/network access increases the chance users expose secrets or allow outbound calls they did not expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill is presented as an on-chain reputation tool, but the leaderboard feature depends on an off-chain Agentscan API. This mismatch can mislead users about trust boundaries, data provenance, availability, and privacy, since leaderboard results are no longer purely derived from the advertised on-chain registry. In a reputation/trust skill, undisclosed off-chain dependency is especially sensitive because users may overtrust the output as decentralized and tamper-resistant.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill claims an on-chain reputation capability, but the leaderboard command silently introduces an off-chain trust source by querying Agentscan over HTTPS. This can mislead users into treating externally aggregated data as canonical reputation data, creating integrity and trust-boundary issues if the API is stale, manipulated, or unavailable.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The file adds a separate off-chain data aggregation path that is not necessary for core registry interaction and expands the skill's trust and attack surface. Any compromise or manipulation of the external API can influence displayed rankings and decision-making, especially in a reputation-oriented tool where data integrity is central.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill instructs users to place a mnemonic or private key into environment variables without any warning about secret-handling risks. Environment variables can leak through shell history, process inspection, logs, CI/CD systems, crash reports, or inherited subprocess environments. Because these are wallet credentials, compromise could lead to full asset theft and unauthorized on-chain actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The write commands for giving or revoking feedback are described without clearly warning that they create blockchain transactions, consume gas, and may be irreversible or difficult to undo once confirmed. Users may invoke them believing they are simple local/API actions, which can lead to unintended spending or permanent reputation changes. In a multi-chain skill, that risk is amplified by varying gas costs and different user assumptions across networks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The give-feedback flow estimates gas and immediately signs and broadcasts a state-changing transaction with wallet material loaded from the environment, without an explicit confirmation step. In an agent skill context, this increases the chance of unintended irreversible blockchain writes if the command is invoked with wrong parameters or by automation without adequate review.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The revoke path performs an irreversible destructive on-chain action immediately after gas estimation, again without asking the user to confirm the target feedback index and account. Because revocation changes reputation state and cannot be casually undone, accidental invocation is a meaningful integrity risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal