Back to skill

Security audit

Test

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent crypto data CLI wrapper, but it handles sensitive wallet and exchange information, so users should configure it carefully.

Before installing, make sure you trust the separate `onchain` CLI implementation. Use read-only exchange API keys with trading and withdrawals disabled, store secrets in protected environment variables or a secure config location, and only query wallets or exchange accounts you are authorized to inspect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises wallet balances, portfolio values, and CEX history features but does not warn that using them will send wallet addresses and exchange-related data to third-party APIs such as DeBank, Helius, Coinbase, and Binance. In an agent setting, users may assume local analysis and unknowingly disclose sensitive financial metadata, which can create privacy, tracking, and account-targeting risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration section enumerates sensitive API keys and secrets but gives no guidance on secure storage, least-privilege configuration, or secret exposure risks. In an agent/CLI workflow, this omission can lead users to place high-value exchange credentials in insecure files, logs, shells, or shared environments, increasing the chance of credential theft and account compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.