Security audit
Haggle Protocol
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about its purpose, but it can let an agent sign irreversible crypto transactions with a private key and no visible built-in transaction limits.
Install only if you are comfortable letting an agent interact with crypto transactions. Use a dedicated wallet with minimal funds, test on testnets first, verify the npm package and contract addresses independently, approve only exact token amounts, and do not expose a main wallet private key.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.