Warden Messari Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for using a paid crypto research agent; the payment and network behavior are disclosed and purpose-aligned, but users should approve any wallet spending carefully.

Install only if you intend to use a paid crypto research agent. Before signing any x402 payment, verify the URL, network, amount, recipient, and wallet being used; consider a low-balance wallet and do not send secrets or private wallet information in prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README explicitly demonstrates interacting with a paid service and notes that payment may be required, but it does not clearly warn users that following the flow can incur real USDC charges. In a skill intended for agent integration, that omission can lead to unintentional spending or automatic invocation by downstream tooling without adequate user consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to construct and sign x402/EIP-3009 payment authorizations for paid requests, but it does not prominently warn that this can authorize real USDC spending. In an agent-skill context, users may treat example code as routine API usage and unknowingly approve payment-linked actions against live networks and recipient addresses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal