Contract Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill advertises real smart-contract safety checks, but the included scanner only returns hard-coded low-risk results that could mislead users.

Review this carefully before installing. Treat it as an incomplete demo, not a real contract scanner, and do not rely on its output for trading or security decisions. Do not provide an Etherscan API key unless the publisher replaces the mock logic with real documented analysis and removes definitive trading advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill declares external requirements such as curl and an ETHERSCAN_API_KEY, indicating likely network access, but it does not explicitly declare permissions for that capability. Hidden or undeclared network behavior reduces transparency and can lead to unintended outbound requests, data exfiltration, or surprising execution behavior in hosts that rely on permission manifests for enforcement.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal