Back to skill

Security audit

Universal Profile

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Universal Profile tool, but it can use local controller keys to submit irreversible blockchain transactions without built-in confirmation.

Review before installing if you will connect a funded or highly privileged Universal Profile. Use a least-privilege controller, avoid full-access permissions, test on testnet first, keep key files locked down, and manually inspect every direct, relay, batch, transfer, mint, or permission-changing transaction before allowing an agent to run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill describes capabilities that require network access, shell execution, and use of environment variables/credential files, but it does not declare any permissions. This creates a permission-model mismatch: an agent or platform may grant broader runtime capabilities than users expect, increasing the risk of unintended command execution, secret access, or outbound interactions with wallets, relays, and third-party APIs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples demonstrate security-sensitive operations—updating profile metadata, granting/revoking LSP6 permissions, and executing value transfers—without warning users that these actions can change account control or move funds. In an agent skill context, copy-pasteable examples can be operationalized by users or agents with insufficient review, increasing the risk of accidental privilege escalation, lockout, or unauthorized transfers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example references a controller private key via an environment variable but provides no guidance on secure secret handling, storage, rotation, or avoiding exposure in logs and shells. Because this skill manages blockchain identities and permissions, compromise of the controller key could allow full profile control, permission changes, and asset transfers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This example file shows contract deployment, minting, and token transfer flows as if they were routine snippets, but does not clearly warn that these are real on-chain actions that can spend funds, create permanent assets, and trigger irreversible state changes. In an agent skill context, users may copy or invoke these examples against live wallets or profiles without understanding operational or financial consequences, increasing the chance of accidental loss or unintended asset creation/transfers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example explicitly uses `force: true` to bypass the LSP1 Universal Receiver safety check during minting, but does not explain when this is safe versus dangerous. Bypassing receiver checks can cause tokens to be sent to addresses or contracts that cannot properly process them, potentially resulting in inaccessible assets, broken integrations, or unexpected behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `config:show` command prints the full configuration object directly to stdout without redacting sensitive fields or warning the user. In a CLI handling blockchain identities, profile addresses, RPC endpoints, keystore paths, or other operational metadata may be sensitive and can be exposed through terminal history, logs, shell capture, or agent output surfaces.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This function submits an on-chain transaction immediately through a credentialed wallet with no runtime confirmation, policy gating, or safety interlock in the execution path. In an agent skill that manages Universal Profiles and blockchain operations, that means any upstream prompt injection, malformed tool call, or unintended parameter flow can directly trigger irreversible state changes or fund movement.

Missing User Warnings

High
Confidence
94% confidence
Finding
Batch execution is more dangerous because it can bundle multiple arbitrary calls into one irreversible transaction, amplifying the impact of a single unsafe invocation. Without runtime confirmation or transaction policy checks, an attacker or mistaken agent decision could combine permission changes, token transfers, and other privileged actions in a single broadcast that is harder for a user to notice and stop.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The helper returns creds.controller.privateKey directly to any caller of getProviderWithCredentials, unnecessarily broadening access to the most sensitive secret in the system. In an agent skill context, this is especially risky because downstream tools, prompts, logs, error handlers, or untrusted integrations may inspect or serialize returned objects, causing accidental key exposure and full compromise of the controller account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.