Transaction Receipt

Security checks across malware telemetry and agentic risk

Overview

This is a read-only blockchain transaction lookup skill with expected third-party API calls and limited local rate-limit state.

Install only if you are comfortable with transaction hashes and request metadata being visible to Tokenview or public blockchain endpoints during lookups. Use a rotatable Tokenview API key if configured, avoid pasting keys into chat, and verify the GitHub repository before following the README clone instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README describes fallback to third-party services such as Tokenview, publicnode.com, and blockstream.info, but does not clearly warn users that submitted transaction hashes and related metadata will be transmitted to those external providers. While transaction hashes are often public on-chain, user lookup behavior, IP address, timing, and associated context can still create privacy and operational exposure, especially in enterprise or sensitive investigation workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal