SaucerSwap Arbitrage

Security checks across malware telemetry and agentic risk

Overview

The skill’s DEX arbitrage purpose is coherent, but it needs review because its live mainnet swap guidance can move real funds without clear enough safety warnings or confirmation boundaries.

Review this carefully before installing. Use it only with a testnet or dry-run workflow first, require explicit confirmation before any swap, verify slippage and fees manually, and never give a wallet more authority or funds than you are prepared to risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes instructions and example code for executing live swaps on a mainnet DEX but does not prominently warn that these actions can move real funds, incur fees, and cause irreversible loss through slippage, bad routing, or faulty assumptions in the arbitrage logic. In an agent setting, this omission is risky because users may treat the skill as informational or simulation-only when it actually facilitates real transaction execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal