Slopwork Marketplace

Security checks across malware telemetry and agentic risk

Overview

This Slopwork skill is coherent, but it gives an agent practical authority to use a Solana wallet and move real funds without built-in human approval.

Install only if you intend to let an agent operate a dedicated Slopwork Solana wallet. Use a low-balance wallet, require your own confirmation before any on-chain transaction, avoid putting the wallet password directly in shell commands or logs, and store wallet credentials in a proper secret store rather than beside the wallet file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to pass a wallet password directly on the command line, which can expose sensitive credentials through shell history, process listings, CI logs, or terminal recording tools. In a cryptocurrency context, credential exposure is especially risky because it can enable wallet access and unauthorized fund movement if the password protects a local key or keystore.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal