Mpp mobula

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but it uses an encrypted hot wallet to automatically spend small amounts of USDC.e for Mobula API calls.

Install only if you are comfortable running a small hot wallet on this machine. Keep only a few dollars in it, use an isolated user or workspace when possible, pin and review dependencies, and remember that every API call can trigger an irreversible on-chain payment up to the built-in per-call cap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to run shell commands (`git clone`, `bun install`, CLI invocations) and make outbound network calls, yet it declares no permissions or equivalent capability disclosure. This creates a transparency and governance gap: an operator may approve or install the skill without realizing it can execute commands and contact external services, increasing the chance of unintended code execution or data egress.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill metadata says it provides crypto prices, wallet positions, and market data, but this file also exposes a wallet activity/transaction-history lookup. That expands the data-access scope beyond the declared capability and can enable collection of sensitive financial behavior data without clear user expectation or manifest disclosure, especially if arbitrary wallet addresses can be queried.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file implements persistent wallet secret storage, per-user key derivation, wallet creation, and private-key decryption, which materially exceeds the stated purpose of fetching Mobula market data. In an agent-skill context, adding custodial wallet capabilities expands the attack surface to secret theft and unauthorized spending, especially because the skill can decrypt user private keys on demand.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The ability to generate wallets and later return decrypted private keys is highly sensitive and not justified by a market-data access skill. Even if intended for pay-per-call billing, this creates a custodial design where compromise of the process, filesystem, or calling code can expose signing material and enable theft of user funds or unauthorized transactions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that the skill will automatically sign and broadcast on-chain USDC.e payments in response to HTTP 402 challenges, but it does not give a strong, explicit warning that each request can spend real user funds. In an agent setting, this is risky because automated or repeated calls can silently drain a funded wallet through normal operation, prompt injection, or abuse of the calling agent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill does state that calls are pay-per-call, but the warning is not prominent or repeated where the agent is instructed to use the API programmatically. In practice, an integrator could call helper functions like `userMobulaCall(...)` without a clear high-visibility warning that each invocation automatically spends funds from the associated wallet, leading to silent financial loss or abuse through loops, retries, or prompt-triggered calls.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The "call" command can trigger arbitrary paid API requests using the local wallet's private key, but the invocation path does not display a just-in-time warning or confirmation that each request spends funds. In an agent or scripted context, this increases the chance of unintended balance drain through repeated or attacker-influenced calls, especially because the command is generic and accepts arbitrary parameters.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: This code automatically signs and broadcasts an on-chain USDC.e transfer in response to a 402 payment challenge, using only server-provided challenge data and internal safety checks, with no explicit user confirmation at the moment funds are spent. Even with the per-call cap and chain checks, repeated or unexpected calls can still drain a hot wallet incrementally, and users may be unaware that a normal API request triggers a blockchain payment.

Session Persistence

Medium

Category: Rogue Agent
Content: cd mpp-skill bun install # 2. Create a hot wallet (AES-256-GCM encrypted at ~/.mpp-skill/wallet.json, # encryption key at ~/.mpp-skill/.secret, both chmod 600) bun run start wallet-create # → prints address + bridge link
Confidence: 80% confidence
Finding: Create a hot wallet (AES-256-GCM encrypted at ~/.mpp-skill/wallet.json, # encryption key at ~/.mpp-skill

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal