Back to skill

Security audit

Purchase Anonymous Data eSIM (Crypton.sh)

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides a disclosed Crypton.sh eSIM browsing, checkout, and order-status workflow, with privacy and dependency cautions but no evidence of hidden or malicious behavior.

Install only if you trust Crypton.sh for plan lookup, checkout, payment handling, and order retrieval. Treat order UUIDs, payment links or wallet addresses, ICCIDs, QR codes, and activation codes like sensitive credentials, and prefer an environment that resolves requests to a current patched version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while clearly documenting network access to an external API. This creates a transparency and governance gap: users and reviewers are not told that the skill will transmit queries and order data off-platform, which can expose sensitive purchase, device, and order information to a third party.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases such as 'mobile data', 'travel data', and 'data plan' that may appear in ordinary conversation and unintentionally invoke the skill. Accidental activation is more concerning here because the skill can lead users into a purchase flow and disclose order/payment details in chat.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill shows and discusses highly sensitive order and device-related data in chat, including order UUIDs, ICCID, payment addresses, and eSIM activation codes, but does not warn users against sharing or exposing this information. If chat transcripts are logged, shared, or viewed by others, these details could enable account/order tracking, service misuse, or theft of the purchased eSIM profile.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
Confidence
97% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests==2.28.0 — 7 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +4 more

High
Category
Supply Chain
Confidence
83% confidence
Finding
requests==2.28.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.