Security audit

Bobine Contract Caller

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Bobine contract-calling helper that uses user-provided targets and optional signing keys without hidden persistence or unrelated data access.

Install only if you intend to make Bobine contract calls from the agent. Treat sigkey values as private credentials, avoid sharing generated private keys in chat or logs, and verify the server, module, method, and params before any signed or state-changing call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: `signEd25519Call` accepts raw private key material as a hex string and imports it directly into process memory for signing, which creates a high-sensitivity secret handling path. In an agent skill context, this is more dangerous because skills may receive parameters from higher-level orchestration or users, increasing the chance that long-lived private keys are exposed to logs, traces, prompt history, crashes, or untrusted code paths.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: scripts/lib/bobine.mjs:106