Alura

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alura testnet API reference, but it gives an agent authenticated trading and funds-transfer actions without clear user-confirmation guardrails.

Install only if you intend to let an agent work with the Alura testnet trading API. Verify the official domain before signing wallet messages or sharing Bearer tokens, and require explicit confirmation before any trade, close-position, withdrawal, reward claim, or USDC transfer, including exact asset, amount, position/session ID, and destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents multiple high-risk authenticated actions such as withdrawing funds, sending USDC, closing positions, claiming rewards, and triggering trading operations, but it provides no explicit user-facing warning, confirmation requirements, or safety guidance about financial loss or account-impacting consequences. In an agent context, this increases the chance that an automated system could invoke destructive endpoints with real user credentials or tokens without adequately informing the user or obtaining high-assurance confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal