Security audit

Anvil Mesh

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but users should avoid or carefully verify any plain-HTTP payment or node endpoints before relying on them.

Install only if you are comfortable with payment-capable node/API workflows. Prefer HTTPS endpoints, independently verify payment addresses and prices, and do not trust transaction proofs or payment metadata received over plain HTTP without separate verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises and exemplifies use of plain HTTP endpoints for live node access, including data queries and an HTTP 402 payment flow, without warning users that traffic can be intercepted or modified in transit. In this context, a man-in-the-middle could tamper with manifests, topic data, pricing details, payment addresses, or proof-carrying requests, which is especially risky because the skill positions the service as payment-capable and transaction-verification related.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal