Back to skill

Security audit

Chainstream Graphql

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ChainStream GraphQL analytics skill with payment and wallet setup instructions, and the risky parts are mostly documented subscription/auth flows rather than hidden behavior.

Install only if you are comfortable using ChainStream's external CLI/MCP service and letting an agent manage ChainStream auth, API keys, wallet signatures, and subscription checks. Prefer a generated or low-balance wallet and a scoped API key; do not import a valuable private key, and require explicit review before any paid plan purchase or DeFi action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is described as a read-only GraphQL analytics/query capability, but the error-handling guide includes transactional DeFi and wallet-execution failure modes such as slippage, balances, signatures, and on-chain confirmations. This can mislead an agent into treating the skill as capable of wallet interaction or trade execution, increasing the chance of unsafe tool orchestration, confusing recovery actions, or inappropriate prompts to the user involving authentication or wallet operations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Recovery steps like re-quoting with higher slippage, obtaining fresh confirmation, checking wallet balance, and troubleshooting signatures directly contradict the stated read-only GraphQL purpose. In an agent setting, contradictory operational guidance is dangerous because it can cause the model to request sensitive wallet actions, suggest financial operations outside scope, or blend analytics with execution workflows the user did not intend.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The GraphQL activation rule is permissive enough to match vague 'analytics' requests and route them into a highly flexible query interface. In this skill context, that matters because GraphQL/custom query surfaces can enable broader-than-necessary data access, expensive queries, and reduced policy control compared with narrower purpose-built tools, increasing the chance of misuse or prompt-induced overreach.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly routes users to a transaction-executing skill for swaps, bridges, token creation, and transaction broadcast, but it does not include any warning that these actions can move assets, incur fees, or be irreversible once signed and submitted on-chain. In an AI-agent context, that omission increases the risk that users treat high-risk financial operations like ordinary read-only queries and approve unsafe actions without adequate caution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage examples include a direct swap prompt alongside harmless read-only prompts, but provide no warning about financial loss, MEV/slippage, wrong-token risk, fees, or irreversible execution. In a skill catalog for agent use, presenting swap actions without explicit cautions can normalize autonomous financial operations and lead users to trigger real asset movement with insufficient review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation shows an API key being set directly in a CLI command and also includes an example output containing a live-looking key prefix (`cs_live_...`) without an adjacent warning that API keys are sensitive secrets. In agent and CI environments, users often copy commands verbatim, which can lead to keys being exposed in shell history, logs, transcripts, screenshots, or command monitoring systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.