Back to skill

Security audit

MetaMask Smart Accounts KIt

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only MetaMask smart-account development skill with sensitive wallet automation examples that are disclosed and aligned with its purpose.

Install this only for MetaMask Smart Accounts development. Use testnets first, never commit or log real private keys, prefer managed signing or KMS/HSM for production session accounts, and keep delegations limited by amount, target, redeemer, call count, and expiry with clear user consent and revocation controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The session account example silently falls back to `generatePrivateKey()` when `SESSION_KEY` is missing, which can cause an automation service to unintentionally use a brand-new identity and lose continuity, auditability, and expected authorization boundaries. In a smart-account/delegation context, that can lead to failed redemptions, mis-bound permissions, orphaned delegations, or operators mistakenly believing a stable backend identity is in use when it is not.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example normalizes loading a private key from an environment variable without prominently warning that this is highly sensitive credential material. In Web3 backend agents, environment-variable secrets are often exposed through logs, crash dumps, CI output, container introspection, or misconfigured hosting, which can directly compromise delegated authority and funds reachable by the session account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes an example of requesting recurring token permissions and then performing automated backend-triggered redemptions, but it does not explicitly warn that this enables ongoing asset movement without per-transaction user approval. In a Web3 wallet context, omitting that warning can normalize risky patterns and lead integrators to build flows where users do not fully understand that approved permissions may continue to move funds over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.