WachAI-x402

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid DeFi token-risk skill with small capped wallet charges, but users should verify the external CLI and approve charges deliberately.

Before installing, verify the external x402-wach CLI/npm package and publisher, use a low-balance AWAL wallet, keep the 0.01 USDC cap, and confirm the token and chain before each analysis. Do not provide private keys, seed phrases, or wallet files; this skill says they are not needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill metadata and instructions indicate paid analysis requests can be performed automatically via x402/AWAL, but they do not require an explicit user-facing confirmation immediately before a chargeable action. In an agent setting, this can lead to unintended spending if the agent invokes the skill based on an ambiguous request or routine analysis flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal