DeAI.au

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed on-chain marketplace helper that can move real crypto assets, so it is appropriate only for users who intentionally want that capability.

Install only if you want an agent to interact with real Base mainnet auctions. Use a dedicated low-balance wallet, approve only exact amounts, verify RPC/indexer and contract addresses, cross-check high-value auction details on-chain, and avoid unattended signing unless the password file is tightly protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reference provides direct, ready-to-run commands for approving tokens, creating auctions, bidding, buying, settling, and cancelling on a live Base mainnet deployment, but it does not prominently warn that these actions move real assets and are irreversible once confirmed. In an agent-skill context, this omission is dangerous because an agent or operator may treat the examples as routine automation steps and trigger unintended on-chain transfers, approvals, or sales with real economic consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal