Back to skill

Security audit

Chitin Cert

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for issuing and verifying public on-chain certificates, with expected but important credential and permanence risks.

Install this only if you want an agent to help with public certificate workflows. Never share wallet private keys, protect and rotate any `ck_` issuer API key if exposed, review the optional MCP npm package before running it, and manually confirm wallet addresses, certificate text, evidence URLs, and webhook endpoints before issuing because records may be public and hard to undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

External Transmission

Medium
Category
Data Exfiltration
Content
Build a signed message in the format `Chitin Certs: Register issuer {address_lowercase} at {timestamp_ms}` (timestamp = `Date.now()` in milliseconds, must be within ±5 minutes).

```bash
curl -X POST https://certs.chitin.id/api/v1/issuers \
  -H "Content-Type: application/json" \
  -d '{
    "address": "0xYOUR_WALLET",
Confidence
60% confidence
Finding
curl -X POST https://certs.chitin.id/api/v1/issuers \ -H "Content-Type: application/json" \ -d '{ "address": "0xYOUR_WALLET", "name": "Your Organization", "description": "Optional: wha

External Transmission

Medium
Category
Data Exfiltration
Content
## Batch Issue (Up to 100 Certs)

```bash
curl -X POST https://certs.chitin.id/api/v1/certs/batch \
  -H "Authorization: Bearer ck_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
60% confidence
Finding
curl -X POST https://certs.chitin.id/api/v1/certs/batch \ -H "Authorization: Bearer ck_abc123..." \ -H "Content-Type: application/json" \ -d '{ "issuerAddress": "0xYOUR_WALLET", "certs":

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.