NEAR Intents 1click Api

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto swap skill whose main purpose is disclosed, but it can move funds automatically and includes unsafe live-test/example code with weak confirmation and secret-handling controls.

Install only in a tightly controlled environment, preferably use manual mode, and do not configure a high-balance wallet private key. Treat any .env private key as full authority to move funds, avoid running the included live test/full-swap scripts, and require your own explicit quote review and confirmation before any transaction is signed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill constructs and returns a ready-to-run `near-cli` transfer command using untrusted `recipient` and `amount` parameters, bypassing the intended Intents flow and its safeguards. In an agent setting, suggesting executable wallet commands can lead to unsafe fund transfers, command misuse, or reduced policy enforcement, especially if downstream components auto-present or execute the recommendation.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The script is presented as a test with 'mock env vars' comments, but it falls back to a real private key and then submits an actual MAINNET intent. This mismatch is dangerous because a developer may run the file expecting a harmless test, yet it can spend real funds and execute irreversible cross-chain actions using embedded credentials.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide explicitly instructs agents to use auto mode to execute swaps end-to-end whenever NEAR credentials are configured, but it does not require an explicit user confirmation step immediately before funds are sent. In an agentic context, this can cause unintended transfers if the agent mis-parses a request, acts on ambiguous intent, or proceeds without the user understanding that configured credentials will be used to move real assets.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installation guide explicitly instructs users to retrieve a NEAR private key from local credentials and place secrets into a .env file, but it does not include strong handling guidance such as never sharing the key, never committing it, restricting file permissions, or preferring safer key-management methods. In a cross-chain swap skill that can initiate real on-chain transfers, this omission materially increases the chance of credential exposure and wallet compromise.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The auto-mode setup tells users to configure NEAR_ACCOUNT_ID and NEAR_PRIVATE_KEY for automatic sending, but it does not clearly warn that these credentials can authorize real blockchain transactions and loss of funds. Because this skill performs swaps and bridging across chains, understated credential risk is especially dangerous: compromise of the configured environment can directly lead to unauthorized transfers.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README includes an example `.env` with sensitive fields like `NEAR_PRIVATE_KEY` and `ONE_CLICK_JWT` but does not clearly warn readers that these are secrets requiring secure storage, rotation, and exclusion from logs/version control. In an agent-skill context, users may copy this verbatim into insecure environments, increasing the chance of credential leakage and unauthorized asset transfers or fee-account abuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide describes an automated flow that obtains a deposit address and instructs users to send tokens, including cross-chain transfers, without prominently warning that blockchain transfers are generally irreversible and that recipient chain/address details must be verified before sending. In a swapping/bridging skill, this omission materially increases the chance of user fund loss from mistakes, misrouting, or trusting an incorrect deposit/recipient address.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation tells users to set NEAR_PRIVATE_KEY in .env for auto mode but does not include explicit guidance that this is a highly sensitive credential whose exposure can enable unauthorized transactions and theft of funds. In the context of a financial automation skill, normalizing private-key placement without security handling guidance increases operational risk substantially.

Missing User Warnings

High

Confidence: 95% confidence
Finding: In auto mode, the function obtains a quote and immediately transfers funds from the configured NEAR account to the quoted deposit address without any explicit user confirmation or policy gate. In an agent setting, this is dangerous because a prompt injection, parameter manipulation, or accidental invocation could cause irreversible on-chain transfers from a wallet controlled by environment-stored credentials.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill loads NEAR_ACCOUNT_ID and NEAR_PRIVATE_KEY from environment variables and uses them to create a signer that can transfer funds. While using environment variables for secrets is common, in this agent skill the presence of a hot private key combined with an executable transfer path materially increases risk because the skill can spend funds without user-visible disclosure or explicit consent at runtime.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This file is an executable script that immediately performs a real cross-chain swap using hard-coded recipient/asset parameters and calls fullSwap() at module load, with isTest explicitly set to false. In an agent skill context, that means importing or invoking the skill can cause live fund movement without an interactive confirmation, transaction preview approval, or safety gate, which materially increases the risk of unintended or unauthorized transfers.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script reads a private key from environment variables and directly uses it to sign and submit a deposit transaction, but the file provides no local safeguards such as prompting, secret-manager integration, reduced key scope, or operational warnings. In a reusable skill, this encourages unattended signing with hot credentials, so misconfiguration, accidental invocation, or downstream compromise can immediately translate into loss of funds.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The manifest explicitly advertises support for sensitive secrets such as NEAR_PRIVATE_KEY and ONE_CLICK_JWT, but provides no accompanying warning about secure handling, storage, transmission, or the risks of enabling automatic signing. In a cross-chain DeFi/bridge skill, this is materially dangerous because users or agent operators may supply a hot private key to automation without understanding that compromise of the agent, logs, prompts, or integrations could lead to direct loss of funds.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script generates a live NEAR private key and writes it in plaintext to a file on disk, which materially increases the chance of credential disclosure through source control commits, backups, shell history, malware, or local multi-user access. In this skill's context, the key controls a funded blockchain account used for swaps and bridging, so exposure can directly lead to theft of on-chain assets and unauthorized transactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill automatically initiates deposit and later withdrawal operations as part of swap execution without a distinct confirmation step or prominent warning to the user. In a cross-chain asset movement skill, implicit fund movements are dangerous because they can transfer assets into intermediary contracts or external recipient addresses based on parsed input, increasing the chance of irreversible loss from mistakes or prompt-injection-driven actions.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: A hardcoded private key in source code is a direct secret exposure and enables anyone with repository or package access to control the associated account. In this skill's blockchain context, compromise can immediately lead to theft of funds, unauthorized swaps/bridges, and abuse of any account permissions tied to that key.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script performs a real mainnet swap/bridge operation immediately when run, without explicit user confirmation, dry-run mode, or a prominent irreversible-transaction warning. In a cross-chain asset transfer skill, this is especially risky because transactions can move value to another chain/recipient and are difficult or impossible to recover once submitted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal