AI Walllet Payment System

Security checks across malware telemetry and agentic risk

Overview

This is a real cryptocurrency wallet/payment skill, but it can expose wallet recovery material and send irreversible ETH while making security claims the code does not support.

Treat this as experimental wallet software, not a production payment system. Use only testnets or unfunded wallets unless you independently audit it, keep TOTP seeds and backup codes out of chat/logs, and require your own manual approval and limits before any transaction can be broadcast.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document repeatedly markets the skill as 'secure' for managing real cryptocurrency wallets and payments, while later admitting it is experimental, unaudited, and unsuitable for significant funds. In a wallet/payment context, this mixed messaging can cause operators or downstream agents to overtrust the system and expose real assets to loss.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The module-level 'security guarantee' claims numerous protections that the code does not actually implement, such as comprehensive prevention of every attack, constant-time behavior everywhere, complete memory wiping, and broad hardware-backed protections. In a wallet/payment system, these false assurances are dangerous because operators may deploy it under a mistaken belief that high-risk controls already exist, leading to unsafe handling of real funds and reduced scrutiny.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The HSM interface claims HSM-backed key generation and encryption, but the implementation falls back to software-generated ephemeral keys and a nonfunctional decrypt path. This creates a serious mismatch between expected and actual key protection, which is especially dangerous in a cryptocurrency wallet where users may assume hardware isolation of secrets that never actually occurs.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The wallet manager claims private keys are never cached and that operations are HSM-backed, but transactions are signed locally after decrypting the private key into process memory. Even if briefly held, plaintext key material in process memory increases exposure to memory disclosure, crash dumps, debugging, or malicious local code, and it directly contradicts the stated security model.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The database class advertises write-once audit logging and automatic backups, but the implementation uses ordinary mutable SQLite tables and has no backup mechanism. This can mislead operators into believing forensic and recovery controls exist when audit trails may be alterable or missing and backups nonexistent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README includes normal usage examples for wallet creation, balance checks, and sending ETH, but it does not place an explicit warning adjacent to those examples that they may interact with real wallets and real funds. In an AI-agent or automation context, readers may copy the example verbatim against mainnet settings, increasing the risk of accidental fund movement or unsafe testing with production assets.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The quick-start and advanced examples show wallet creation, backup export, and transaction submission workflows that could be copied directly into real environments, but they do not lead with strong warnings about irreversible blockchain transfers, private-key/backup sensitivity, or the danger of exposing MFA material. In a crypto-payment skill, omission of these warnings increases the chance of accidental fund loss or credential leakage by users and autonomous agents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The wallet creation API returns the MFA secret, provisioning URI, and backup codes directly to the caller. In an agent or service context, that increases the chance these secrets are logged, echoed to untrusted clients, stored in traces, or exposed through downstream integrations, allowing attackers to bypass second-factor protections.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The transaction method performs a real blockchain transfer once called, without a distinct confirmation step or an interface contract emphasizing irreversibility. In an agent setting, where actions may be triggered indirectly or by manipulated inputs, this creates a high-risk path to unintended loss of funds because blockchain transfers are not easily reversible.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The production example prints MFA secrets and TOTP provisioning data to stdout, which is commonly captured by terminals, shell history tools, process supervisors, CI logs, remote consoles, or screen recordings. Exposure of this material allows an attacker to enroll the same TOTP seed and defeat MFA, which is particularly severe in a cryptocurrency wallet handling irreversible payments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal