Exfer

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for Exfer cryptocurrency use, but it gives agents real wallet/payment authority and uses under-scoped install and safety guidance that users should review carefully.

Install only if you intentionally want an agent to operate an Exfer wallet. Use a dedicated low-balance wallet, protect EXFER_PASS and wallet backups, verify any downloaded binary before running it, prefer your own trusted RPC node, and require explicit human approval for each transfer or contract action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill tells users to copy the encrypted wallet file and says it is 'safe to store anywhere,' which materially understates the sensitivity of both the backup and the associated passphrase. In a wallet-management context, this can lead agents or operators to place key material in insecure locations, increasing the chance of theft or brute-force/offline attack if the file is exposed.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The payment and contract examples show live fund transfers and contract execution without a prominent warning that blockchain transactions are typically irreversible and should be independently verified before submission. In a financial skill, this omission increases the likelihood of operator error, wrong-address transfers, or accidental locking/burning of funds.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal