Xaman Wallet Integration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only guide for adding Xaman wallet support, with expected wallet-session and payment/signature considerations.

Before using this skill, make sure you trust the Xaman SDK source, configure API key origins and redirect URLs tightly, consider disabling persistent sessions or using custom storage for sensitive apps, provide logout on shared devices, harden the app against XSS, and require clear user confirmation for every payment or signature request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly documents that sessions are persisted in localStorage by default and does not warn about the security and privacy tradeoffs. Tokens or session state stored in localStorage can be exposed to any script running in the origin, increasing risk from XSS, browser extensions, or shared-device access; in a wallet-authentication context, that can lead to unauthorized session reuse or privacy leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal