Bot World Mining

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto-game skill, but it should be reviewed because it lets an agent perform real-token swaps, withdrawals, and PvP balance-affecting actions without clear approval limits.

Review carefully before installing. Use only a dedicated low-value wallet and agent name, verify the wirx.xyz service independently, and require explicit human approval for any registration, swap, withdrawal, PvP action, or long-running mining session. Treat the 20% exchange spread, hot-wallet custody, counterparty risk, and irreversible on-chain withdrawals as real financial risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill encourages wallet registration, token mining, swapping, and withdrawals involving real crypto assets, but provides no warnings about irreversible transactions, custody risk, exchange spread, counterparty risk, or loss from PvP and hot-wallet withdrawals. In an agent context, this is dangerous because it can normalize autonomous financial actions and asset movement to an external service without explicit user consent, risk disclosure, or spending limits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal