Digital Health

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only payment integration skill with sensitive but disclosed wallet-signing guidance that matches its stated purpose.

Install only if you intend to build these x402 payment flows. Before using the agent-payment path, review the Privy dependency, keep secrets out of source control and logs, use testnet or strict spend limits first, and validate token, amount, recipient, chain, nonce, and expiry before any production signing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to add autonomous agent payment flows using server-controlled wallets and 'no user click' signing, but it does not include clear warnings about real fund movement, spending limits, approval requirements, or the fact that these actions unlock paid resources. In a payments skill, omission of such guardrails increases the chance that downstream agents or developers implement unattended spending in unsafe ways, leading to unintended transactions or abuse of paid endpoints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal