Back to skill

Security audit

DeFi Yield Farming Optimizer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide DeFi portfolio or yield analysis, with expected wallet/portfolio review but some privacy and scope cautions.

Install only if you intend to use it for DeFi-specific analysis. Prefer manual wallet-address entry or read-only wallet connection, never provide seed phrases or private keys, and assume any wallet address or portfolio scan may reveal holdings and cross-chain activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad enough to overlap with many ordinary finance, investing, or optimization requests, which can cause over-invocation in contexts where the user did not intend to engage a DeFi-specific tool. In a high-risk financial domain, accidental activation can expose users to unsuitable guidance, wallet-connection prompts, or risk-heavy recommendations that are not appropriate for general financial questions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to connect a wallet and scan portfolio positions without prominently warning that wallet addresses, balances, positions, and cross-chain activity may be exposed to the skill or third-party APIs. In the DeFi context, that data can reveal financial holdings and behavioral patterns, creating privacy, profiling, and phishing risk even if no private keys are requested.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.