Back to skill

Security audit

FourMeme

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about using a wallet key for live BSC actions, but it also enables broad fund transfers through an unpinned external CLI, so users should review it carefully before installing.

Install only with a dedicated low-balance BSC wallet, never a primary wallet. Pin and verify the npm CLI version before use, review every recipient, token address, amount, and contract interaction before approving, and prefer quote/read-only commands before create, buy, sell, send, or 8004-register actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly requires access to a private key via environment variables and performs networked blockchain/API operations, yet the finding indicates these capabilities are not fully declared as permissions. In an agent setting, undeclared access to secrets and external network interaction weakens user visibility and policy enforcement, increasing the risk of unauthorized fund-moving or signing actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description centers on meme-token creation/trading, but the skill also supports generic asset transfer (`send`) and EIP-8004 registration/query. That mismatch is dangerous because users or orchestrators may enable the skill expecting limited trading functionality while it actually has broader wallet-control capabilities, including sending native BNB or arbitrary ERC-20 tokens to any address.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script adds functionality to mint an EIP-8004 identity NFT, which is unrelated to the declared Four.Meme meme-token creation/trading purpose of the skill. In an agent-skill context, out-of-scope blockchain actions are dangerous because users may grant wallet access expecting one class of transactions while the package can initiate different on-chain operations with real cost and side effects.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads PRIVATE_KEY and uses it to sign and submit an on-chain register() transaction for an identity NFT that is not justified by the skill's advertised purpose. This increases risk because any environment exposing wallet credentials to a meme-token tool could unknowingly authorize unrelated blockchain activity, leading to unexpected spending, identity linkage, or trust abuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script enables arbitrary transfer of native BNB or any ERC20 from whatever wallet is loaded via PRIVATE_KEY, which materially exceeds the stated scope of a Four.Meme meme-token creation/trading skill. In an agent/tooling context, a generic transfer primitive is dangerous because any prompt injection, misconfiguration, or downstream misuse can convert it into direct asset exfiltration from the configured wallet.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code path at lines 74-89 performs unrestricted native or ERC20 transfers to any valid address supplied on the command line, with no authorization layer beyond possession of the wallet private key. In the context of an agent skill advertised for meme-token operations, this broad transfer capability increases the blast radius of compromise and creates a straightforward mechanism for unauthorized fund movement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs users to export a raw PRIVATE_KEY into their shell environment without any warning about secure handling, ephemeral use, shell history, process exposure, or safer alternatives. In a skill that performs real on-chain token creation and fund-bearing transactions, this increases the chance of secret leakage and wallet compromise, especially in shared terminals, CI systems, logs, or agent-run environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits wallet address, signed authentication material, and a local image file to a third-party remote service without an explicit runtime warning or confirmation. In a security-sensitive context like token creation and trading, this can mislead users about what local data and wallet-linked metadata are leaving the machine, increasing privacy and phishing-style consent risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/create-token-instant.ts:53

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/create-token-api.ts:38