Antalpha Airdrop Hunter

Security checks across malware telemetry and agentic risk

Overview

This airdrop-checking skill is not clearly malicious, but it needs review because it can auto-run on broad inputs and appears to use under-disclosed local file handling.

Install only if you are comfortable with the skill automatically analyzing airdrop-related links and project names. Treat its recommendations as advisory, do not connect a wallet or sign transactions based on it, and prefer a version that documents any local file reads/writes, narrows triggers, and rejects malformed or future-dated data by default.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 77% confidence
Finding: The skill declares no permissions, yet the static analyzer detected file read/write capabilities associated with the artifact. Hidden or undeclared file access weakens the trust boundary because a user or host may believe the skill is purely advisory while it can access or modify local data. In this context, the mismatch is more concerning because the skill is presented as a Web3 guidance tool, not a local data processing utility.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill description says it grades airdrops and checks scams, but the analyzer reports unrelated local file processing and date-based filtering behavior. That kind of description-behavior mismatch is dangerous because it can conceal non-obvious data handling, making users and reviewers underestimate what the skill actually does. The specific note that unparsable and future-dated entries are retained also suggests weak filtering logic that could preserve malicious or misleading content.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The function documentation says only articles within the requested age window are kept, but the implementation also allows articles with invalid or unparsable dates to pass through because is_within_days returns True on parse failure. In an airdrop-hunting workflow, this weakens freshness guarantees and can let stale, malformed, or deliberately manipulated entries bypass filtering, increasing exposure to outdated or misleading opportunities and scam content.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The quick command phrases are short, generic, and plausibly occur in ordinary conversation, which can cause the skill to trigger unintentionally. In a wallet- and link-safety-focused Web3 skill, accidental activation increases the chance of unsolicited recommendations, link handling, or user confusion at moments where the user did not explicitly request this skill.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The onboarding trigger phrases are broad enough to match routine conversation, which can cause unintended activation of the skill. Unintended activation matters in a Web3/security context because the skill may steer the conversation, auto-route users into wallet/link workflows, or suppress the user’s original intent. The skill context increases risk because airdrop hunting and phishing checks often involve sensitive links and high-risk decision points.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Automatically executing on any provided URL is overly permissive and can be triggered by unrelated links, quoted text, examples, or adversarial prompt content. In a security-themed skill, this is especially risky because the agent may over-trust that every URL should enter a scam-check workflow, creating opportunities for prompt manipulation, noisy tool execution, or mishandling of sensitive links.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Treating any bare project name as a command to analyze that project is ambiguous and can misclassify normal conversation, comparisons, or hypothetical discussion. In this domain, that can cause the skill to present authoritative-looking investment or safety guidance without confirming the user’s real question, which may mislead users into acting on incomplete analysis.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## 2. Automation Triggers (MANDATORY) | User Input Pattern | Auto-Execute Tool | Reason | |--------------------|-------------------|--------| | User provides a URL (with or without context) | `airdrop-scam-check` | Safety first. Verify before they click. | | User provides only a Project Name (no verb/intent) | `airdrop-check-project` | They want to know if it's worth their time. |
Confidence: 86% confidence
Finding: Auto-Execute

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal