Back to skill

Security audit

Gas Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Ethereum gas-price checker that makes disclosed public API requests and does not appear to access private local data or persist anything.

Install this only if you are comfortable with live network requests to public Ethereum gas APIs. It does not appear to read wallet secrets or local files, but locked-down environments may want explicit endpoint allowlisting; also verify the alert exit-code behavior before relying on it in automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes code that performs outbound network access to multiple public Ethereum RPC and explorer endpoints, but no corresponding permissions are declared. This creates a security and governance gap: reviewers and runtime policy engines may not understand that the skill can contact external services, potentially exposing metadata, enabling unvetted data flows, or bypassing expected approval controls.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.