Voidly Pay

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed agent-payment and marketplace skill, but users should understand it can send task data to external services and spend Voidly credits.

Install only if you are comfortable enabling Voidly's external payment and marketplace infrastructure. Use explicit approvals, provider allowlists, and spending limits before any registration, faucet claim, hiring, payment, or MCP tool action, and avoid sending confidential prompts or business data unless you trust the provider path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The invocation guidance is overly broad and could cause an agent platform to activate this payment/marketplace skill for ordinary requests about AI services, coordination, trust checks, or micropayments. In a skill that can register identities, contact external APIs, and initiate economic actions, ambiguous triggers increase the risk of unintended external actions or data sharing without sufficiently explicit user intent.

VirusTotal

6/63 vendors flagged this skill as malicious, and 57/63 flagged it as clean.

View on VirusTotal