Back to skill

Security audit

Basename Agent

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent identity-registration goal, but the supplied code evidence shows broad wallet-signing and auto-approval behavior that could authorize actions outside that goal.

Install only if you are comfortable reviewing and constraining the wallet scripts first. Use a low-value or dedicated wallet, require interactive confirmations, verify every message and transaction before signing, and avoid connecting it to arbitrary dApps until contract, origin, calldata, and value allowlists are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill demonstrates access to environment variables and extensive outbound network use, but declares no permissions or trust boundaries. In an agent ecosystem, this is dangerous because consumers may execute the skill without realizing it can access wallet material from env and transmit signed/authenticated data to third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
77% confidence
Finding
The documented behavior is narrower and safer-sounding than the capabilities described by the static finding: the skill appears able to function as a general wallet connector that can sign messages and submit arbitrary transactions, not just register a basename. Capability drift like this is dangerous because operators may grant it wallet access expecting a single-purpose registration tool, enabling broader transaction/signing abuse than advertised.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This script approves a WalletConnect session and then services broad signing methods including personal_sign, eth_signTypedData(_v4), and eth_sendTransaction for whatever the connected dapp requests, with no validation that the request is specifically for Basename registration, no contract allowlist, no calldata checks, and no value limits. Because the browser automation pulls a WalletConnect URI from a live website and then auto-approves/signs requests, a compromised site, malicious modal, or unexpected session request could trick the wallet into signing arbitrary messages or sending arbitrary transactions from the user's wallet.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script explicitly provides a general-purpose WalletConnect bridge that can connect to arbitrary dApps and sign transactions/messages, which is materially broader than the stated Basename/ร†mail identity-registration purpose. In an agent skill context, this expands authority from a narrowly scoped registration flow to unrestricted wallet actions, creating a strong capability-mismatch and a realistic path to unintended or phishing-driven fund loss.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code handles arbitrary `eth_sendTransaction` requests from connected dApps and forwards them with the agent wallet, without validating destination, calldata, function selector, or business purpose. Because the skill is framed as an identity-registration tool, this unrestricted transaction execution is especially dangerous: any paired dApp can request value transfers or contract interactions unrelated to Basename, leading to theft or unauthorized onchain actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When `--interactive` is not enabled, the script operates in auto-approve mode and will approve sessions and sign/send supported requests without a fresh confirmation at the point of use. For wallet operations, especially in an AI-agent setting connected to external dApps, this removes a critical safety barrier against malicious or unexpected signing requests and can directly enable unauthorized transactions.

External Transmission

Medium
Category
Data Exfiltration
Content
resp = requests.post('https://api.basemail.ai/api/auth/start',
    json={'address': wallet.address}).json()
sig = wallet.sign_message(encode_defunct(text=resp['message']))
auth = requests.post('https://api.basemail.ai/api/auth/agent-register',
    json={'address': wallet.address, 'signature': sig.signature.hex(),
          'message': resp['message']}).json()
Confidence
84% confidence
Finding
requests.post('https://

External Transmission

Medium
Category
Data Exfiltration
Content
resp = requests.post('https://api.basemail.ai/api/auth/start',
    json={'address': wallet.address}).json()
sig = wallet.sign_message(encode_defunct(text=resp['message']))
auth = requests.post('https://api.basemail.ai/api/auth/agent-register',
    json={'address': wallet.address, 'signature': sig.signature.hex(),
          'message': resp['message']}).json()
Confidence
84% confidence
Finding
requests.post('https://api.basemail.ai/api/auth/agent-register', json=

External Transmission

Medium
Category
Data Exfiltration
Content
// 2. Sign + Register (auto-detects your new Basename)
const signature = await account.signMessage({ message });
const { token, email } = await fetch('https://api.basemail.ai/api/auth/agent-register', {
  method: 'POST', headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ address: account.address, signature, message, basename: fullName }),
}).then(r => r.json());
Confidence
84% confidence
Finding
fetch('https://api.basemail.ai/api/auth/agent-register', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
// 2. Sign + Register (auto-detects your new Basename)
const signature = await account.signMessage({ message });
const { token, email } = await fetch('https://api.basemail.ai/api/auth/agent-register', {
  method: 'POST', headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ address: account.address, signature, message, basename: fullName }),
}).then(r => r.json());
Confidence
84% confidence
Finding
https://api.basemail.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"address":"YOUR_WALLET_ADDRESS"}'

# 3. Sign + Register
curl -X POST https://api.basemail.ai/api/auth/agent-register \
  -H "Content-Type: application/json" \
  -d '{"address":"...","signature":"0x...","message":"..."}'
Confidence
83% confidence
Finding
https://api.basemail.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
resp = requests.post('https://api.basemail.ai/api/auth/start',
    json={'address': wallet.address}).json()
sig = wallet.sign_message(encode_defunct(text=resp['message']))
auth = requests.post('https://api.basemail.ai/api/auth/agent-register',
    json={'address': wallet.address, 'signature': sig.signature.hex(),
          'message': resp['message']}).json()
Confidence
84% confidence
Finding
https://api.basemail.ai/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
console.log(`๐Ÿ“ Address: ${address}`);
  console.log(`โ›“๏ธ  Chain: ${config.chainId}`);
  console.log(`๐Ÿ”— RPC: ${config.rpc}`);
  console.log(`๐Ÿ” Mode: ${config.interactive ? 'Interactive (prompt before signing)' : 'Auto-approve'}`);
  if (config.audit) {
    console.log(`๐Ÿ“ Audit: ${AUDIT_FILE}`);
  }
Confidence
88% confidence
Finding
Auto-approve

Unpinned Dependencies

Low
Category
Supply Chain
Content
"connect": "node scripts/wc-connect.js"
  },
  "dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0",
    "puppeteer": "^21.0.0"
Confidence
95% confidence
Finding
"@walletconnect/core": "^2.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0",
    "puppeteer": "^21.0.0"
  },
Confidence
95% confidence
Finding
"@walletconnect/web3wallet": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0",
    "puppeteer": "^21.0.0"
  },
  "keywords": ["basename", "base", "ens", "web3", "ai-agent"],
Confidence
92% confidence
Finding
"ethers": "^6.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0",
    "puppeteer": "^21.0.0"
  },
  "keywords": ["basename", "base", "ens", "web3", "ai-agent"],
  "license": "MIT"
Confidence
97% confidence
Finding
"puppeteer": "^21.0.0"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.