ENS (Ethereum Name Service)

Security checks across malware telemetry and agentic risk

Overview

This ENS skill is coherent and purpose-aligned, with normal wallet-privacy and transaction-confirmation considerations.

Install if you are comfortable with ENS names and wallet addresses being queried through third-party services and stored per user for reminders. Before approving any ENS registration, renewal, record update, or transfer, verify the resolved 0x address, chain, cost, and wallet prompt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to query third-party services for ENS profile lookups without warning that the queried ENS name or wallet address will be disclosed to external providers. Even though ENS data is public on-chain, sending a user's lookup target to web3.bio or similar services creates an off-chain privacy leak and may let providers correlate user activity, wallets, and interests.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs persistent storage of ENS names, expiry dates, and related preferences in per-user strategy and memory without informing the user that this identity-linked data will be retained. ENS names are often personally identifying and can be tied to wallet activity, so retaining them increases privacy risk and the blast radius of any later data exposure or misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal