Back to skill

Security audit

AgentsBank

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate crypto banking SDK, but it exposes direct fund-transfer and batch-transfer APIs without an enforceable user approval gate.

Review carefully before installing or connecting funded wallets. Use testnet or low-limit credentials first, enforce a separate human approval step before any send, sendSafe, signMessage, or sendMultiple call, and do not rely on maxGasUSD as an enforced fee cap in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This library exposes high-impact capabilities to move cryptocurrency funds and sign messages, which can authorize off-platform actions, yet no surrounding skill metadata or purpose constrains when these actions are appropriate. In an agent skill context, such primitives materially increase abuse potential because a prompt-injected or misconfigured agent could trigger irreversible blockchain transfers or signatures.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The `sendSafe` method advertises gas-limit enforcement via `maxGasUSD`, but the implementation only calls `estimateGas()` and discards the result, so no fee cap is actually enforced. This can mislead integrators into believing a spending guardrail exists, resulting in unexpectedly expensive transactions or bypass of policy controls in production.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The SDK exposes message signing and documents it mainly as a useful authentication feature, but does not adequately warn that signatures can authorize off-platform actions, prove wallet control, or be abused in phishing-style workflows. In agentic contexts, developers may treat message signing as harmless text signing and unintentionally let an agent sign security-sensitive payloads.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The send method performs an irreversible on-chain transfer directly from supplied parameters with no built-in confirmation, out-of-band approval, or transaction simulation gate. In an autonomous agent setting, a single bad instruction, prompt injection, or parameter mix-up can immediately result in permanent loss of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The batch transfer helper iterates through recipients and sends funds repeatedly without any explicit confirmation barrier, enabling rapid multi-recipient asset exfiltration in one call. Because blockchain transfers are irreversible, this amplifies the blast radius of agent misuse, compromised inputs, or prompt injection far beyond a single transaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.