Hedera Transaction Builder

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and not deceptive, but it teaches signing and submitting real Hedera transactions without clear confirmation or key-safety safeguards.

Review this carefully before installing. Use testnet first, prefer wallet-mediated signing, never paste private keys into chat or source files, pin @hashgraph/sdk in a lockfile, and require explicit confirmation of all transaction details before any mainnet signing or submission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly supports building, signing, and submitting Hedera transactions on mainnet, including HBAR transfers, but does not warn that these actions can move real funds and are generally irreversible once submitted. In an agent setting, this omission increases the risk of unintended financial loss because a user or downstream system may treat the examples as routine code rather than high-impact operations requiring explicit confirmation and network selection safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal