Back to skill

Security audit

Esri Workflow Smell Detector (Consumer)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate paid API client, but it asks for wallet private-key access and can authorize payments without enough user-facing guardrails.

Install only if you are comfortable giving this skill access to a wallet private key. Use a dedicated low-balance wallet, avoid storing the key in shell history or logs, verify the API endpoint and payment recipient, and require your agent to show the exact cost before any paid call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill describes capabilities that require reading files, using environment variables, and making outbound network requests, but it does not declare any permissions or safety constraints. This weakens reviewability and least-privilege enforcement, making it easier for an agent or operator to invoke sensitive behaviors without clear consent boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation tells users to export a private key and wallet address as environment variables without any warning about secret handling, process exposure, shell history, logging, or use of safer secret stores. Because the skill is specifically built to perform paid requests, compromise of the private key could directly enable unauthorized spending or wallet abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script accesses a private key from the environment and can trigger a paid on-chain authorization flow immediately after receiving a 402 challenge, without an operation-site warning, confirmation step, or payment guardrails. In practice, a user can unintentionally authorize payments to an attacker-controlled or misconfigured endpoint, especially because the endpoint is CLI-overridable and challenge contents are trusted without strong validation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
eth-account>=0.10.0
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
eth-account>=0.10.0
Confidence
89% confidence
Finding
eth-account>=0.10.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.