TheRoaster

Security checks across malware telemetry and agentic risk

Overview

The skill is a documented roast-generation API with optional wallet-based paid credits; the wallet and data-sharing parts need care but fit the stated purpose.

Use the free tier unless paid quota is needed. Before any paid action, verify the Base chain, contract address, USDC amount, tier, duration, and transaction purpose, and require explicit human approval before signing or sending anything. Avoid submitting confidential messages or sensitive personal data for roasting, and store any issued API key securely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly enables agents to build purchase transactions, sign messages, and purchase plans with a controlled wallet, but it does not place strong, repeated user-consent and transaction-verification safeguards next to those flows. In an agent-skill context, this is dangerous because wallet approval, purchase, and signature requests can lead to unauthorized financial actions or signature misuse if an agent acts without explicit human confirmation for each step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal