Bounty Hunter Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be legitimate XLayer testnet bounty tooling, but its instructions ask users to expose a raw wallet private key even though the reviewed script only supports read queries and unsigned transaction building.

Use the build-tx flow with an external wallet and review chain ID, destination contract, token address, amount, task ID, and account before signing. Do not export a valuable or reused wallet private key for this skill; if installing dependencies, prefer a trusted HTTPS registry or regenerate the lockfile from one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (11)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to place a raw private key in the `NIUMA_WALLET_SECRET` environment variable for write operations, but provides no warning about secret handling, process/environment leakage, shell history exposure, or safer alternatives. In a blockchain context, compromise of this key can directly lead to irreversible theft of funds or unauthorized transactions from the user's wallet.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents multiple state-changing blockchain actions such as creating tasks, approving, rejecting, canceling, bidding, and token approval without clearly warning that signed transactions are generally irreversible once broadcast. This omission increases the risk of users unintentionally performing destructive or financially impactful actions, especially because token approvals and task-management operations can have lasting on-chain consequences.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: The lockfile pins package downloads to plain HTTP URLs on a region-specific mirror, which removes transport security and allows a network attacker or compromised mirror path to tamper with downloaded tarballs. Although npm integrity hashes provide some protection, relying on insecure transport still weakens supply-chain trust and can enable denial, downgrade, metadata manipulation, or exploitation if integrity verification is bypassed or inconsistently enforced.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: This entry repeats the same insecure pattern: dependency tarballs are fetched from a hardcoded HTTP regional mirror instead of a trusted HTTPS source. A malicious proxy, local network adversary, or compromised mirror could interfere with package delivery and undermine the dependency supply chain.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: Hardcoding a region-specific HTTP package source creates unnecessary trust in a third-party mirror and exposes dependency retrieval to interception or mirror compromise. In a skill that ships executable tooling, supply-chain tampering can directly affect users installing or running the package.

Natural-Language Policy Violations

Low

Confidence: 96% confidence
Finding: Even for a types package, forcing retrieval from a plain HTTP mirror is a supply-chain risk because it normalizes insecure package sourcing across the project. The danger is amplified by the package's role in a JavaScript/Node ecosystem where installation commonly executes package-manager logic and influences developer systems.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: This dependency also inherits the insecure HTTP mirror constraint, extending the attack surface across the full dependency tree. A persistent pattern of insecure mirror pinning suggests weak dependency hygiene rather than an isolated mistake.

Natural-Language Policy Violations

Low

Confidence: 98% confidence
Finding: The primary ethers dependency is fetched from a hardcoded HTTP regional mirror, creating a meaningful supply-chain risk for a package likely interacting with wallets, signing, or blockchain transactions. If the dependency path were tampered with, users could be exposed to credential theft, transaction manipulation, or malicious code execution during install or runtime.

Natural-Language Policy Violations

Low

Confidence: 96% confidence
Finding: This lockfile entry continues the insecure sourcing pattern, showing the project consistently forces package retrieval through an unauthenticated regional mirror. Repetition increases the likelihood that all installs of the skill inherit weakened supply-chain guarantees.

Natural-Language Policy Violations

Low

Confidence: 96% confidence
Finding: Pinning another package to the same HTTP mirror compounds the supply-chain exposure and indicates users do not have an opt-in choice about where artifacts are retrieved from. This is risky because dependency consumers implicitly trust the lockfile to represent a secure, reproducible source of packages.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: The WebSocket dependency is likewise sourced from the same HTTP mirror, extending insecure transport to network-facing functionality. Given that this skill exposes a CLI binary and depends on communication libraries, compromised dependencies could have direct runtime consequences for end users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal