Back to skill

Security audit

NewsRiver Global Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about its finance and automation features, but it gives agents access to high-impact DeFi, wallet, payment, messaging, and scraping actions without enough stated user controls.

Review this carefully before installing. Use only with a dedicated low-balance wallet and require explicit approval for every transaction, bridge, wallet action, payment, email, SMS, or scrape. Confirm provider custody, logging, privacy, revocation, and spending-limit practices before allowing an agent to use the API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises and demonstrates high-impact actions—token swaps, cross-chain bridging, wallet operations, email/SMS sending, and web scraping—without prominent safety gates, consent requirements, or warnings that these operations can move funds, message third parties, or trigger irreversible on-chain transactions. In an agent context, this materially increases the risk of unauthorized or accidental execution because the documentation normalizes live operational use rather than constraining it to explicit user-approved flows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.