Polygon PoS Development

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Polygon smart-contract development guide, but users should be careful with private keys, live blockchain transactions, and the Foundry remote installer command.

Install Foundry only from official sources, use a dedicated low-balance deployment wallet, never commit or share .env files, avoid production mainnet keys for experiments, and confirm the network, wallet address, gas cost, and transaction details before running any --broadcast or cast send command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The mainnet deployment section includes `forge script ... --broadcast` for Polygon mainnet but does not explicitly warn that this sends real on-chain transactions using real funds. In a deployment-focused skill, especially one optimized for fast agent use, this omission increases the chance of accidental mainnet execution and unintended POL spending.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to place `PRIVATE_KEY` in a `.env` file without a clear warning that this is highly sensitive secret material. This can lead to key exposure through shell history, screenshots, backups, logs, accidental commits, or insecure local storage, which would allow full wallet compromise.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide recommends using `--private-key $PRIVATE_KEY` directly on the command line during deployment. Even when sourced from an environment variable, passing secrets as CLI arguments can expose them through shell history, process listings, CI logs, or telemetry, which can lead to compromise of the deployer wallet and unauthorized transactions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide shows a mainnet `forge script ... --broadcast --private-key $PRIVATE_KEY` command without an explicit warning that this signs and submits irreversible live transactions and can spend real MATIC. In a deployment guide, omission of that warning can cause operator error, especially for less experienced users moving from testnet to production.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file instructs users to place a raw PRIVATE_KEY in a .env file and use it directly with forge and cast for broadcast/send operations, but it does not include a warning about secret handling, account isolation, or the fact that these commands submit real transactions to a live network. In a blockchain development guide, this omission can normalize unsafe key practices and lead to credential leakage, accidental use of a main wallet, or unintended on-chain actions even if the target is only a testnet.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal