Back to skill

Security audit

Vincent - Wallet

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent that it gives an agent wallet powers, but it allows real fund movement and signing before owner policies are configured.

Install only if you explicitly want an agent-controlled wallet. Claim any created wallet immediately, set strict spending limits, allowlists, and require-approval policies before funding it, protect the credential directory, treat re-link tokens as secrets, and consider pinning or reviewing the `@vincentai/cli` version before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation overstates secrecy by claiming the agent never handles raw keys or file paths, while the skill explicitly persists credentials to local paths and later instructs the user/agent to pass a one-time re-link token on the command line. Command-line arguments and local credential paths can be exposed through shell history, process listings, logs, backups, or other local tooling, so this creates a real credential-handling risk even if the token is not a private key.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill asserts that all API calls go only to heyvincent.ai and that no other services are contacted, but the documented behavior depends on Telegram notifications and third-party relay/DEX infrastructure for approvals, swaps, and bridging. This mismatch can mislead operators about where transactional metadata may flow, weakening informed consent, privacy review, and network egress controls.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using a trigger as broad as "wallet" can cause the skill to activate for many unrelated user requests, increasing the chance that high-risk financial actions are suggested or executed in the wrong context. Because this skill can create wallets, move assets, and sign data, accidental invocation materially raises the risk of unintended transactions or credential creation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly allows the agent to operate without policy restrictions before the human claims the wallet and configures controls. In a wallet/transaction skill, that means a newly created credential can immediately be used for transfers, swaps, contract calls, or signing with no human-defined guardrails, which creates a serious window for unauthorized or mistaken financial activity.

Ssd 4

High
Confidence
98% confidence
Finding
Normalizing unrestricted autonomous wallet control before human claim/policy setup is particularly dangerous in this context because the skill is expressly designed to perform on-chain value transfers and arbitrary contract interactions. Even if server-side controls exist after claim, the documented pre-claim behavior creates an unguarded period in which the agent can act with broad financial authority, making mistakes or abuse costly and potentially irreversible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.