Security audit

trongrid-token-list

Security checks across malware telemetry and agentic risk

Overview

This is a read-only TRON token lookup skill, but users should not rely on it for price, volume, or market-cap rankings.

Install only if you want read-only public TronGrid token lookups. Treat rankings as on-chain heuristics based on holders, supply, and recent activity, not investment-grade price, volume, or market-cap data; verify market metrics with a dedicated market-data source before making financial decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill metadata promises ranking by price, volume, and market cap, but the implementation explicitly states TronGrid does not provide that data and instead ranks by holder count, activity, and supply. This mismatch can mislead users or upstream agents into making financial comparisons based on inaccurate proxies, creating integrity and decision-risk issues in a token-discovery context.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The examples advertise 'Top TRON tokens by market cap' even though the skill states market cap data is unavailable via TronGrid. That contradiction increases the chance that users or agents will trust fabricated or proxy-based rankings as actual market-cap results, which is especially risky for financial discovery workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.