Aiusd Skills

Security checks across malware telemetry and agentic risk

Overview

This AIUSD skill is aligned with trading/account management, but it needs Review because it can move funds, uses persistent account tokens, auto-resets authentication state, and ships opaque installers that run code without enough user control.

Install only if you trust AIUSD with assistant-mediated financial access. Before using it, require explicit approval for every trade, stake, unstake, withdrawal, and gas top-up, and verify the amount, asset, chain, destination address, and fees. Prefer inspecting the extracted package before running the self-extracting installers, and be aware that reauthentication can delete local auth/session files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The skill gives restrictive authentication-response rules, then elsewhere instructs the agent to perform reauthentication actions and describe progress in ways that conflict with those rules. This inconsistency is dangerous because it can cause the agent to take sensitive auth-related actions or provide misleading guidance without a coherent safety boundary, increasing the chance of unsafe account-handling behavior.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file header presents the script as a self-contained skill package, but the actual behavior is that of an installer that modifies the filesystem, extracts an embedded archive, and invokes external tools. This mismatch reduces user ability to make an informed trust decision and can conceal higher-risk behavior such as dependency installation and arbitrary package contents.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The header presents the file as a self-extracting installer, but the script also runs npm install on extracted package contents. npm install executes package lifecycle scripts from the unpacked archive and its dependencies, so this installer performs code execution beyond mere extraction, which materially changes the trust model.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README encourages users to execute trades, staking actions, and withdrawals through natural-language prompts without prominently warning that these are real financial operations that may be irreversible or costly. In a bot/chat context, this increases the chance of accidental or socially engineered transactions because users may treat examples as harmless commands rather than live asset movements.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The authentication section says the bot will 'automatically handle authentication' and suggests using 're-login' if needed, but it does not explain token scope, local storage risks, or the consequences of account access through the bot. This can mislead users into granting sensitive account access without understanding how credentials are stored or what an attacker with local/chat access could do.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The documented reauthentication flow includes clearing auth caches and launching browser OAuth without requiring prior user warning or consent. Those actions can log a user out, switch accounts, destroy session state, or trigger unintended authentication in a different browser context, which is especially risky in a financial skill handling trading and withdrawals.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The error-handling policy tells the agent to automatically run reauth on common auth failures, again without informing the user that caches may be cleared and a browser-based login may be triggered. In a finance-related account-management skill, automatic auth mutation is dangerous because it can disrupt active sessions, cause account confusion, and train the agent to take privileged recovery actions without consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installer unconditionally removes any existing aiusd-skill directory with recursive deletion and no confirmation, backup, or path safety checks beyond the fixed subdirectory name. This can cause destructive data loss if the directory contains user modifications, secrets, or unrelated files.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script extracts an opaque embedded tarball and immediately runs npm install, which can execute package lifecycle scripts from untrusted package contents and dependencies. In the context of a skill installer, this is especially dangerous because the archive contents are not visible for review and npm install can lead to arbitrary code execution on the host.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer unconditionally deletes an existing ./aiusd-skill directory with rm -rf after only a generic log message and no confirmation. This can destroy local work, customizations, or unrelated files placed in that directory, creating avoidable destructive behavior in a script users are encouraged to run directly.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installer decodes an embedded archive, extracts it, and then runs npm install on the extracted package without any explicit warning that this may execute arbitrary code via npm lifecycle scripts and dependency hooks. In the context of a skill installer distributed as a single shell script, this is especially dangerous because users may assume it only unpacks files while it actually triggers code execution from opaque embedded content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal