Sardis — Payment OS for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real payment integration, but it gives agents broad live financial authority without enough built-in confirmation and containment.

Install only if you intend to let an agent interact with live Sardis financial infrastructure. Use a dedicated low-limit or least-privilege API key, require explicit human approval for every payment, bridge, escrow release, card issuance, and card reveal, prefer sandbox/testnet flows first, do not expose the FastAPI server publicly, and keep full card details and API keys out of prompts, logs, traces, and transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The skill includes an example for sending alert data to an arbitrary external webhook, which extends behavior beyond Sardis-only guardrail operations. Even though it is commented as an integration example, it normalizes exfiltration of wallet security state and could leak sensitive operational data to untrusted destinations if copied into real workflows.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill registry exports executable capabilities that are broader than the manifest description and trigger guidance. In an agentic payment context, undeclared actions such as bridge transfers, invoice creation, compliance checks, and spending reports can expand the agent’s effective authority, creating a capability-confusion problem where orchestration or policy layers may permit tools users and operators did not expect.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README prominently advertises wallet creation, payments, card issuance, and spending authority without explicitly warning that these actions can move real funds, create financial accounts, or be irreversible. In an agent-skill context, unclear safety framing increases the chance that operators or downstream agents invoke high-impact actions as if they were routine automation.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The quick-start section provides copy-pastable commands against production endpoints that create agents, apply policies, and execute payments, but it does not clearly warn that these are live actions with real financial consequences. This is especially risky for AI-agent tooling because users may run examples verbatim, unintentionally provisioning wallets or sending funds.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill server example shows an API key being passed in request context without guidance on secure secret handling, redaction, or transport protections. In practice, this pattern can lead to credentials being logged, exposed in traces, or mishandled by intermediary services that process request bodies.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents payment execution and card issuance without an explicit warning that these actions can move real funds or create live payment instruments with irreversible consequences. In a payments context this is especially dangerous because users may invoke examples as if they were harmless tests, resulting in unintended transfers or spendable cards.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup flow instructs users to create/use an API key and send authenticated account credentials and financial metadata over the network without a privacy or disclosure notice. This increases the risk that users expose sensitive operational or financial information to a third-party service without understanding retention, logging, or data-sharing implications.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is marked user-invocable and its description is broad enough to match generic card-management requests, which can cause the agent to trigger high-impact payment operations without sufficiently narrow user intent. In a payments/card skill, overbroad activation increases the chance of accidental card issuance, card state changes, or sensitive data access in contexts where the user did not clearly authorize financial actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents a card reveal endpoint that returns full PAN, CVV, and expiry data, but it does not require an explicit user warning, strong authorization gate, or a mandatory redaction/secure-handling flow before use. In an AI-agent setting, exposing full payment credentials is highly dangerous because model outputs, logs, transcripts, tool traces, or downstream prompts could leak reusable card data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents a fund-release operation that can irreversibly transfer escrowed assets, but it does not include an explicit warning to verify recipient, amount, milestone state, and delivery before executing. In an agent-payment context, omission of such safeguards increases the chance of accidental or premature release of funds through automation or operator error.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The setup instructs users to export and use a live API key but does not warn against exposing the secret in logs, transcripts, shell history, screenshots, or shared environments. Because the same key authorizes financial API actions, accidental disclosure could enable unauthorized payment operations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples send identity, reputation, wallet-linked, and transaction-associated data to an external API, but the skill lacks an explicit privacy and data-sharing warning. Because this skill is user-invocable and identity-critical, operators may disclose sensitive agent metadata, public keys, wallet identifiers, comments, and transaction references without understanding retention, visibility, or downstream use.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill provides ready-to-run examples that create and execute real Tempo mainnet payment sessions, but it does not prominently warn that these commands can move real funds. In an agent skill context, executable examples materially increase the risk of unintended payment initiation, especially because the skill is user-invocable and model-invocation is enabled.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This skill directly performs a wallet-affecting bridge transfer using write and execute permissions without any visible confirmation, preview, or step-up authorization in the skill logic. In an agent-payment context, that is dangerous because bridging moves funds across chains, may be irreversible or operationally hard to recover, and can be triggered by an agent workflow if upstream safeguards fail or are bypassed.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill performs an irreversible payment transfer as soon as it is invoked, with no built-in confirmation, recipient verification, or user-facing disclosure in the execution path. In a payment skill for AI agents, that creates a meaningful risk of accidental, prompt-induced, or unauthorized fund movement if the agent is tricked or misfires.

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"agent_id": "agt_123", "natural_language": "Max $500/day, only OpenAI"}' # Execute payment (policy auto-enforced) curl -X POST https://api.sardis.sh/api/v2/pay \ -H "X-API-Key: $SARDIS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"to": "openai.com", "amount": "25.00", "currency": "USDC", "chain": "base"}'
Confidence: 82% confidence
Finding: https://api.sardis.sh/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal