Crypto Price Alerts

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: manage local crypto price alerts and check prices through a standard exchange library, with no evidence of hidden credential access or destructive behavior.

Install only if you are comfortable with your watched crypto pairs and target prices being stored in a local JSON file and queried through Binance/ccxt. Do not rely on Telegram or Discord notification claims from these artifacts alone; test delivery before using it for time-sensitive trading decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill explicitly states that alerts are stored locally in a user-specific file, but it does not warn users that their alert history and trading interests persist on disk. While this is not an active exploit, it creates a privacy and transparency issue because sensitive behavioral or financial-interest data may remain accessible to other local processes, backup systems, or shared-device users.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "keywords": ["crypto", "alerts", "price", "notifications", "trading"], "category": "finance", "dependencies": { "ccxt": "^4.0.0" } }
Confidence: 94% confidence
Finding: "ccxt": "^4.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal