Back to skill

Security audit

blockbeats--skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed BlockBeats API helper that makes read-only crypto news and market-data requests using the user's API key.

Install this only if you are comfortable letting the agent use your BlockBeats API key for crypto news, search, and market-data lookups. Be aware that broad market or news questions may be sent to BlockBeats and may use API quota; treat any buy/sell-style interpretation as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad natural-language phrases like 'market overview' and 'market conditions', which can overlap with ordinary conversation and cause unintended skill activation. In an agent setting, over-broad invocation boundaries can route user requests to external APIs unexpectedly, causing unnecessary data access, confusion, and possible leakage of user intent to the third-party service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Scenario 2 uses vague triggers such as 'smart money' and 'stablecoins', which are common discussion terms and do not clearly indicate that the BlockBeats skill should run. This increases the chance of accidental invocation and unintended third-party API calls based on conversational context rather than explicit user consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The macro scenario includes broad phrases such as 'big picture' and 'good time to enter', which are highly contextual and may match many ordinary finance or investing conversations. This weakens activation boundaries and can cause the agent to invoke the skill when the user did not explicitly intend to query this external provider.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Keyword search triggers include generic patterns like '[keyword] news' and 'find [keyword]', which can map to many normal user requests unrelated to this skill. That creates a risk of over-triggering and sending user-supplied search terms to the BlockBeats API without sufficiently explicit selection of the skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.