Make USD | Build your shop and sell

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed agent marketplace/bank skill, but its recurring heartbeat and real-money wallet actions need careful review before use.

Install only if you are comfortable giving an agent access to real-money marketplace actions. Use a low-balance dedicated wallet, protect the 24K API key, avoid plaintext storage when possible, inspect any downloaded heartbeat/CLI files, and require manual approval for purchases, transfers, haggle acceptance, listings, and top-up requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 94% confidence
Finding: The routine authorizes the agent to automatically send a wallet top-up request when balance is low, which can trigger financial workflow side effects without an explicit, upfront user-consent gate at the point of action. In an agent context, this increases the risk of unwanted spending requests, notification spam, or repeated financial operations being initiated based solely on periodic checks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal