Whale Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward crypto wallet transaction checker with some privacy and feature-disclosure caveats, but no hidden, destructive, or unrelated behavior was found.

Install only if you are comfortable sharing monitored wallet addresses and explorer API keys with Etherscan or BscScan. Use low-privilege or disposable API keys, do not provide a valuable Telegram bot token unless you verify it is needed, and do not rely on the advertised real-time Telegram features without testing because the included script does not implement them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to configure third-party API keys and highlights Telegram push notifications, but it does not clearly warn that wallet addresses, transaction activity, alert metadata, and possibly user-defined monitoring targets may be transmitted to external services. In a crypto-monitoring context, that omission can mislead users about privacy exposure and create operational-security risk, especially if monitored wallets are sensitive or tied to investment strategies.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal