Back to skill

Security audit

Anti Rug

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a Web3 token-risk checker and does not show hidden credential access, persistence, destructive behavior, or unrelated authority.

Reasonable to install if you are comfortable with a token checker sending the chain ID and contract address you scan to GoPlus, or to any custom API gateway you choose. Avoid using an untrusted custom gateway, and verify the repository/maintainer because the documentation lists two different GitHub repository paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill metadata declares no permissions or environment requirements, yet the documented installation and usage clearly indicate network-capable behavior through Python dependencies and blockchain/security scanning functions. This creates a transparency and consent gap: an agent or reviewer may treat the skill as low-privilege while it can make outbound requests to RPC endpoints, APIs, or repositories during execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.