Potato Tipper

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do its stated Potato Tipper setup work, but it needs review because it uses a raw private key and can broadcast transactions that grant token-spending permission.

Review before installing or running. Use only a dedicated low-balance controller, avoid pasting production private keys into commands or shared terminals, verify the cloned repository and all contract addresses, simulate where possible, choose the smallest tipping budget, and confirm you know how to revoke the $POTATO operator approval and Universal Profile delegate settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation promises that setup connects PotatoTipper, configures settings, and authorizes the token budget in one transaction, but the example never performs the operator authorization. Integrators may rely on this example, deploy incomplete automation, and wrongly assume tipping is enabled or budget-limited, leading to broken setups, failed transactions, or insecure ad hoc follow-up steps to grant authorization later.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The example goes beyond merely configuring Universal Profile data keys and also authorizes the PotatoTipper contract as a token operator, which grants it the ability to spend or manage up to the approved token budget. That is a sensitive wallet-affecting permission and materially changes the user's risk exposure, so including it as part of a setup example without strong separation and warning is dangerous.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code explicitly calls authorizeOperator on the token contract, granting the PotatoTipper contract authority over a user-specified token amount. Even if intended for legitimate tipping automation, this is effectively an allowance-like delegation to a third party, and if the contract is buggy, upgraded maliciously, or misunderstood, users can lose approved funds.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README instructs users to pass a blockchain private key directly via an environment variable in a quick-start command, but provides no warning about shell history, process inspection, CI logs, or accidental persistence in terminal/session state. In this skill's context, that key likely controls a Universal Profile with permission to modify delegates and move token-bearing assets, so exposure could lead to unauthorized account control, configuration changes, or theft of funds.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The phrase 'Use this skill for anything technical around the Potato Tipper contracts repo' is overly broad and can cause the agent to invoke this skill in situations beyond narrowly scoped setup or documentation tasks. Because the skill includes workflows that handle private keys and perform on-chain configuration changes, accidental invocation could lead to unintended sensitive actions or unsafe guidance being surfaced in unrelated contexts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill prominently describes a setup flow requiring a PRIVATE_KEY and executing a broadcast transaction that modifies a Universal Profile and authorizes token operator spending, but it does not place a clear upfront warning about the sensitivity and irreversible consequences of these actions. In an agent setting, this increases the risk that users paste secrets into chat or that the agent proceeds with dangerous wallet-changing instructions without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to pass a raw PRIVATE_KEY directly into a shell invocation without any explicit warning about secret handling, shell history/process exposure, or the fact that the script will perform live on-chain writes and authorize operator spending. In a skill whose purpose is to configure a Universal Profile and grant tipping budget permissions, this omission is materially dangerous because users may expose credentials or unintentionally authorize token spending on the wrong network or address.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown examples trigger on-chain state changes on a user's Universal Profile and also grant token-operator permissions, but they do not include explicit user-facing warnings about the consequences of these actions. In skill context, this is more dangerous because the skill description says it requires a private key and is intended to help agents automate setup, increasing the chance that users or agents execute sensitive transactions without understanding the permission scope.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script requires a raw PRIVATE_KEY and immediately uses it with `forge script --broadcast`, causing a live on-chain transaction with no dry-run, chain-ID verification, transaction preview, or interactive confirmation. In the context of an agent skill that asks the user to supply a private key, this is more dangerous because automation can make it easy to run against the wrong network, wrong profile address, or maliciously modified cloned code, leading to unintended state changes and fund loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal