Back to skill

Security audit

HashCats Amazon Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pay-per-call Amazon product data connector, but users should understand it can spend small USDC amounts through x402.

Install only if you are comfortable sending shopping queries and Amazon product URLs to HashCats and letting an x402-enabled agent make small USDC payments. Use wallet spending limits, monitor first use, and avoid fully autonomous repeated calls unless you accept the possible cumulative charges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says agents 'pay tiny USDC amounts automatically on 402 responses' and 'without any API keys,' but it does not prominently warn that this causes real monetary spending. In an agent skill context, that omission can lead to unintended charges because users or downstream agent operators may enable the skill without understanding that normal API use triggers automatic paid transactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.