pawr-link

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed guide for creating and updating public pawr.link profiles, including paid x402 USDC actions, with no hidden executable code.

Install only if you want an agent to manage a pawr.link profile. Before running create or update examples, confirm the endpoint, username, wallet, profile content, and USDC price, and prefer a dedicated wallet with limited funds or spending controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill triggers paid on-chain actions, but the top-level description does not prominently warn users that create and update operations can automatically spend USDC via x402. In an agent setting, weak disclosure increases the risk of unintended financial transactions because a caller may interpret profile management as a normal API action rather than a wallet-spending action.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal