Safe Skills

Security checks across malware telemetry and agentic risk

Overview

This wallet skill is not deceptive, but it gives an agent persistent authority to move crypto funds and send arbitrary blockchain transactions without clear user-confirmation guardrails.

Review carefully before installing or funding a wallet. Use testnet or small amounts first, keep the API key out of chat and logs, verify the SafeSkills provider and claim URL controls, set strict spending policies if available, and require explicit confirmation for every transfer or smart-contract transaction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill enables ETH/token transfers and arbitrary transaction submission but does not explicitly instruct the agent to obtain clear user confirmation or warn that blockchain actions are irreversible. In an agent setting, this increases the risk of unintended asset movement, especially because the API key authorizes spending actions and the arbitrary transaction endpoint can invoke unknown contract behavior.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal