BaseCred

Security checks across malware telemetry and agentic risk

Overview

BaseCred is a focused wallet-reputation lookup skill whose API-key and network use matches its stated purpose, with normal caution needed around .env files and third-party services.

Install only if you are comfortable querying wallet addresses through Ethos, Talent Protocol, and optionally Neynar. Use a dedicated workspace `.env` containing only the needed API keys, avoid parent directories with unrelated secrets, and consider pinning or reviewing the `basecred-sdk` version before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to run a script that auto-discovers the workspace `.env` and uses API keys to query third-party services, but it does not warn the user that local secrets will be read and transmitted off-box. This creates a transparency and consent problem: users may invoke the skill expecting only an address lookup, while the workflow silently relies on workspace credentials and external API calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal