QMAP Client

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent devnet CLI wrapper, but users should understand it installs an external npm package and creates a local signing identity.

Install only if you trust the @alphify/qmap-client npm package. Use a separate devnet identity, protect files under ~/.qmap, avoid sharing wallet output unless you know it is public-only, and run worker/validator/coordinator commands only in an environment where devnet compute and signed network actions are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill directs users to initialize a wallet and join the network, which implies creation of local identity material and credentials, but it does not warn users before those actions are taken. Even though the notes later mention local identity files, the setup flow presents security-sensitive commands without clear upfront disclosure of what will be created, where it will be stored, and how users should protect it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal