Security audit

Agentic Lending Morpho

Security checks across malware telemetry and agentic risk

Overview

This skill openly supports on-chain financial actions, but it also exposes broader EVK tooling and can persist raw signing keys if users provide them.

Install only if you intend to run a high-authority crypto workflow that can fund feeds and deploy markets. Use environment variables or an external signer rather than raw private keys in request files, run preflight and dry-run first, keep generated run directories private, and avoid the lower-level EVK/Euler commands unless you deliberately mean to use them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The artifact included in this skill is for Euler's CrossAdapter price oracle rather than a Morpho-first Api3 lending workflow component described by the skill metadata. In an agentic deployment context, this mismatch can cause the agent to reason over or deploy the wrong contract family, leading to incorrect oracle routing, failed integrations, or unsafe market setup if users rely on the skill for real execution.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The artifact metadata explicitly references Euler vault proxy creation even though the skill is described as Morpho-first and not for Euler EVK flows. This mismatch can cause the agent or operator to select an out-of-scope contract artifact and invoke GenericFactory.createProxy in the wrong workflow, leading to unintended proxy creation or deployment steps that bypass the skill’s stated safety boundaries.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The registry content contradicts the skill's declared scope: it contains only Euler EVK markets even though the skill is described as Morpho-first and explicitly says not to use it for Euler EVK flows. In an agentic workflow, configuration files are often treated as authoritative routing inputs, so this mismatch can cause the agent to select and act on unsupported markets, leading to unintended deployments, validations, or signer-backed transactions on the wrong protocol path.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code can move from planning into real signer-backed execution by resolving private keys, simulating calls, sending buySubscription transactions, and deploying communal proxies. In an agent skill context, that is dangerous because a caller or chained agent may trigger irreversible on-chain actions and spend funds if command routing or consent checks are bypassed, especially since the skill description emphasizes planning-first behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This helper constructs a ready-to-send execution object that explicitly includes broadcast/send enablement and a runtime private key field, making it easy for downstream code to pass secrets through general request objects and accidentally trigger live transactions. In an agentic lending/deployment skill that can progress from planning to signer-backed execution, this materially increases the risk of secret exposure, unsafe automation, and unintended on-chain actions if user input or later pipeline stages are compromised or insufficiently gated.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: This status/progress text is security-relevant because the tool operates in a signer-backed deployment workflow. Telling the user that only adapter deployment is being prepared while the code proceeds into full market deployment can cause materially incorrect operator approval, especially in a system explicitly designed to gate live sends on informed acknowledgement.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The validators accept `morpho` as a supported protocol, but planning logic later intentionally blocks anything except EVK. This creates a deceptive interface where callers can believe Morpho workflows are supported, causing failed or misrouted automation and potentially triggering fallback behavior in surrounding systems that was not intended for a blocked request.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The validators accept `morpho` as a supported protocol, but planning logic later intentionally blocks anything except EVK. This creates a deceptive interface where callers can believe Morpho workflows are supported, causing failed or misrouted automation and potentially triggering fallback behavior in surrounding systems that was not intended for a blocked request.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This code accepts signer-backed execution inputs including raw private keys and supports real transaction sending for EVK/Euler deployment flows, which exceeds the stated Morpho-only planning scope. In an agent skill context, hidden execution capability materially raises risk because a caller may provide secrets or approvals to a component whose declared purpose does not justify handling them.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The workflow persists full request and response bundles to disk, not just minimal planning artifacts. In this skill, requests can include execution configuration and sensitive operational context, so broad artifact persistence expands the attack surface through local secret exposure, accidental check-in, or later reuse by unrelated processes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The execution path accepts raw private keys or environment-variable-resolved keys and immediately constructs a Wallet for simulation or transaction submission, but provides no inline user-facing safety interstitial describing that live signing may occur. In an agent environment, this increases the risk of accidental secret use and unintended fund movement because users may not realize the path has crossed from analysis into active transaction handling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The communal proxy deployment path signs and can submit a contract deployment transaction after only an acknowledgement-string check, with no stronger in-band disclosure or secondary approval. In a skill intended for agentic workflow orchestration, that makes accidental contract deployment and associated gas spending more likely if the action is invoked by mistake or through unsafe automation.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The artifact-writing path serializes the full request object, and this file's request schema allows `send.privateKey` and feed-funding private keys. That means private keys and execution details can be written in plaintext to disk without redaction, creating a direct credential-compromise path that could lead to irreversible on-chain asset loss.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The send path uses `send.privateKey` to instantiate a wallet and submit live transactions to a network. Although there is an acknowledgement check, the execution capability is embedded in a planner skill and relies on secrets passed in request data, which is dangerous in agentic contexts because logs, artifacts, or upstream tooling may expose those credentials or trigger unintended broadcasts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/lib/api3-feed-manager.js:352

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: scripts/lib/api3-feed-manager.js:3448

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: scripts/lib/part2-morpho-planner.js:1472