Kaspa News

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Kaspa news and social updates from kaspa.news without credentials or persistence, with only a minor invocation-scope caution.

Install only if you are comfortable with the agent contacting kaspa.news when you ask for current Kaspa-related updates. For generic Kaspa discussion where you do not want live retrieval, ask the agent not to use this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad enough to match ordinary Kaspa conversation, which can cause unintended invocation of a networked skill in contexts where the user did not explicitly request external retrieval. In an agent setting, ambiguous auto-invocation can expand data exposure and create prompt-routing risks, especially because the skill fetches third-party content and imposes strong output instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal