Liberfi Portfolio

Security checks across malware telemetry and agentic risk

Overview

This wallet portfolio skill is review-worthy because it tells the agent to silently install a global CLI and can use authenticated LiberFi wallet account data without clear consent or cleanup boundaries.

Install only if you trust LiberFi and are comfortable with a global npm CLI being installed. Require explicit approval before installation, prefer a pinned or sandboxed install, and use authenticated `me` commands only when you intend the agent to access your private LiberFi wallet portfolio. Check how the CLI stores login tokens and how to revoke or remove them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to perform a global npm installation without user consent, which modifies the host environment and introduces supply-chain risk. In an agent setting, silently installing software is dangerous because it can change system state, require elevated privileges, and surprise the user or operator.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal