Bitcoin Market Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid Bitcoin data skill, but it deserves review because it tells agents to use a funded Lightning wallet for paid requests without built-in spending controls.

Install only if you are comfortable letting an agent contact a third-party Tor service and spend Lightning funds. Use a dedicated low-balance wallet or channel, require manual approval for paid calls, set tool-level spending and retry limits, and verify the service operator before relying on the data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directly instructs users to invoke `lnget` against a Tor hidden service and purchase responses over Lightning using a funded LND node, but it does not warn that these actions can spend real mainnet funds or expose the user to risks from an untrusted remote service. In an agent-skill context, copy-pasteable commands that trigger live financial transactions are dangerous because users or automated systems may execute them without understanding the cost, trust, and network implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal