Send USD Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a simulation-only transfer skill, not a tool that moves real money or accesses sensitive systems.

Install only if you understand this as a simulation helper. If a future version connects to real payment rails, wallets, bank APIs, or account credentials, it should require explicit user confirmation for recipient and amount before any transfer.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill enables monetary transfers but does not include any explicit warning, user confirmation step, or approval requirement before initiating payment. In agent-to-agent contexts, missing confirmation language increases the risk of unintended, unauthorized, or prompt-induced transfers, especially if an upstream agent invokes the skill automatically based on untrusted input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal