doginals

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Dogecoin inscription tool, but it gives the installer and scripts high-impact system and wallet authority with weak safeguards.

Install only in an isolated or dedicated Dogecoin environment. Review install.sh before running it, verify Dogecoin Core downloads independently, avoid primary or high-balance wallets, protect or replace plaintext wallet/RPC files, and do not enter untrusted addresses or paths into auto_inscriber_v4.py until the shell execution issue is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Construct and run the first command mint_command = f"node . mint {doge_address} {image_path}" result_mint = subprocess.run(mint_command, shell=True, capture_output=True, text=True) print("Output from mint command:") print(result_mint.stdout)
Confidence: 99% confidence
Finding: result_mint = subprocess.run(mint_command, shell=True, capture_output=True, text=True)

Tainted flow: 'mint_command' from input (line 22, user input) → subprocess.run (code execution)

Critical

Category: Data Flow
Content: # Construct and run the first command mint_command = f"node . mint {doge_address} {image_path}" result_mint = subprocess.run(mint_command, shell=True, capture_output=True, text=True) print("Output from mint command:") print(result_mint.stdout)
Confidence: 100% confidence
Finding: result_mint = subprocess.run(mint_command, shell=True, capture_output=True, text=True)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The code explicitly warns that `batchMintDune` is 'not dune aware' and may spend dune-bearing UTXOs, yet it still constructs, signs, and broadcasts transactions from the full wallet. In this context, that can unintentionally transfer or burn protocol assets, causing irreversible loss of user funds/assets rather than being a mere documentation issue.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script description claims it only checks dependencies, but it also performs system-wide installation of Node.js and Dogecoin Core and writes persistent configuration files. This mismatch is dangerous because it reduces informed consent and can cause users or automation to run a script with broader side effects than advertised.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to generate a new `.wallet.json` file and fund it, but it does not warn that this file likely contains private key material or other wallet secrets that must be protected and backed up securely. In a cryptocurrency context, losing or exposing that file can directly lead to irreversible loss or theft of funds.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README documents `wallet send <address> <amount>` as a normal step without a clear warning that blockchain transfers are irreversible and that a mistyped address or amount can permanently destroy or misdirect assets. Because this tool is explicitly used with real DOGE and token-like assets, omission of that warning materially increases user risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script repeatedly invokes a token minting command in a loop using user-supplied count, address, and token name, with no confirmation prompt, dry-run mode, rate-limit validation, or warning about irreversible blockchain side effects. In this context, that makes accidental or excessive minting materially more likely, which can lead to unintended asset issuance, transaction fees, and operational or financial harm.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The wallet creation routine writes the private key in plaintext JSON to a predictable local file without encryption, permission hardening, or any warning to the user. In a cryptocurrency wallet context, exposure of this file directly enables theft of all funds controlled by that key, so this is a real security weakness rather than a mere UX issue.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: `walletNew()` writes the private key, address, and UTXO set in plaintext JSON to disk without encryption, permission hardening, or a clear warning to the user. On multi-user systems, compromised hosts, backups, or accidental file exposure, this can directly disclose the wallet private key and enable theft of all funds.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script downloads a remote setup script and pipes it directly into 'sudo bash', then installs packages as root without any confirmation. This is dangerous because a compromised upstream source, MITM, or unexpected script change would immediately execute with elevated privileges on the host.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently creates a Dogecoin configuration file containing RPC credentials, even though the sample values are placeholders. Creating sensitive service configuration without warning can expose users to insecure defaults, accidental credential reuse, and unintended daemon exposure if the file is later modified or deployed as-is.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal