g0

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent g0 marketplace guide, but it gives AI-accessible tools enough authority to move USDC and pay marketplace requests without clear safety guardrails in the artifacts.

Review before installing if you will connect a funded account. Verify the npm packages and publisher, use least-privilege or limited-balance API keys where possible, and require human approval before any action that sends USDC, accepts paid proposals, releases escrow, or changes payment/account settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes withdrawal examples for sending USDC but does not explicitly warn that blockchain transfers are irreversible or instruct users to verify both recipient address and destination chain before sending. In a crypto-payment marketplace, omission of this warning materially increases the chance of permanent loss from operator error or prompt-induced misuse.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal