CoinMarketCap x402 APIs

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CoinMarketCap paid-data skill, but it can route broad prompts into an automatic crypto-payment workflow without clear per-request controls.

Install only if you intend to make paid CoinMarketCap x402 requests. Use a fresh low-balance hot wallet, never a main wallet private key, pin and review npm dependencies, and require explicit confirmation or an external budget limit before any agent or MCP client can make paid requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger guidance is overly broad because it instructs activation for generic phrases like "no API key," "USDC payment," and even "any Coinbase x402 protocol questions," which may match conversations not actually requesting this specific skill. In an agent environment, this can cause inappropriate tool selection, unnecessary external calls, and unintended paid requests against CoinMarketCap endpoints, especially since this skill is user-invocable and monetized per request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal