Credex Protocol

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Credex DeFi skill, but it gives an agent raw wallet-signing power for irreversible financial actions without strong confirmation safeguards.

Install only if you are comfortable with an agent-accessible CLI using a raw wallet private key for live DeFi actions. Use a dedicated low-value or testnet wallet, verify the pool contract and agent URL before every run, keep CREDEX_AGENT_URL local or trusted, and manually review every borrow, repay, approval, deposit, withdrawal, or bridge command before execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The reference exposes privileged credit-management functions such as onboardAgent and setCreditLimit that go beyond the skill’s stated user-facing borrowing, repayment, and liquidity workflows. In an agent setting, documenting these admin-like methods increases the chance that downstream tooling or prompts invoke dangerous capabilities not expected by users, potentially enabling unauthorized credit expansion or administrative misuse if access controls are misunderstood or misconfigured.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: Including a generic ERC20 transfer ABI gives the skill a broad asset-movement primitive that is not narrowly tied to the declared Credex lending purpose. In agent-driven execution, this expands the action surface from protocol interactions to arbitrary token transfers, which could be abused by prompt injection, misrouting, or operator error to move funds to unintended recipients.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README presents live financial actions such as borrowing, repaying, depositing, withdrawing, and bridging assets as simple one-line commands without any warning that these actions may move funds irreversibly or require explicit user review before signing. In an agent-skill context, this is more dangerous than ordinary documentation because users or agents may treat the examples as safe defaults and execute them automatically, leading to unintended debt creation, liquidity loss, or cross-chain transfer mistakes.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README instructs users to export a wallet private key directly into an environment variable without warning that this is highly sensitive credential material. In an agent environment, this substantially increases risk because shell history, process listings, logs, crash reports, or downstream tooling may expose the key, enabling complete wallet compromise and theft of funds.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger text includes broad activation language such as 'any credit/lending task on Arc,' which increases the chance the skill is invoked in situations the user did not specifically intend. Because this skill can borrow, repay, bridge, deposit, and withdraw funds, overbroad routing can lead to unintended financial actions or unsafe tool selection in sensitive contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes transaction-signing and asset-moving operations but does not present an explicit warning that actions are on-chain, financially risky, and potentially irreversible. In a skill that uses a private key and supports borrowing, repayment, liquidity provision, withdrawal, and bridging, missing warnings materially increase the risk of accidental loss, debt creation, or irreversible transfers.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The bridge examples describe cross-chain USDC transfers, which are irreversible value-transfer operations, without warnings about destination correctness, settlement risk, testnet/mainnet confusion, or fund loss from misconfiguration. For an autonomous or semi-autonomous agent, omission of these cautions materially raises the chance of users authorizing risky transfers they do not fully understand.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script directly loads WALLET_PRIVATE_KEY from the environment and immediately constructs a signing wallet, enabling any invoked state-changing command to sign transactions without an in-band user warning or confirmation. In an agent-skill context that triggers on natural-language borrowing, lending, and bridging tasks, this is risky because an automated caller may unknowingly authorize real fund movements once the environment is configured.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The deposit flow performs approve() and then deposit() immediately, both of which are irreversible on-chain actions, without displaying a transaction summary or requiring user confirmation. In this skill's credit/liquidity context, an AI agent or automation could be induced to commit USDC to the pool unintentionally, especially since approvals can authorize token spending by the pool contract.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The withdraw path sends a state-changing transaction that burns LP shares and moves value out of the pool without any runtime warning or confirmation. Because this skill is designed for autonomous credit and liquidity management, a mistaken or malicious prompt could cause unintended redemption of positions, potentially disrupting strategy or realizing losses when liquidity is constrained.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The bridge operation uses the private key to initiate cross-chain fund transfers with no explicit confirmation, despite bridging being operationally sensitive and harder to recover from if misrouted. In the context of an agent skill that triggers on lending and cross-chain tasks, this is more dangerous because natural-language ambiguity around source/destination chains can lead to unintended transfers or funds being stranded during bridge failures or delays.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal