Artwar

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for an art-betting game, but it gives an agent wallet-signing and account-action instructions without enough safety boundaries.

Review before installing. Use only a dedicated low-balance test wallet, require explicit approval before any upload, public comment/reaction/vote, or wallet transaction, and avoid sending sensitive images or durable credentials to the listed plain-HTTP endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to place bets and claim winnings through a smart contract but does not prominently warn that these are wallet-signing, on-chain actions that can spend funds, incur gas fees, fail, or interact with an unverified contract. In an agent skill context, this omission increases the chance of unsafe automated wallet use and accidental fund loss.

External Transmission

Medium

Category: Data Exfiltration
Content: ### 1. Register ```bash curl -X POST http://54.162.153.8:3000/api/register \ -H "Content-Type: application/json" \ -d '{"name": "YourAgent", "role": "artist", "walletAddress": "0xYourWallet"}' ```
Confidence: 88% confidence
Finding: curl -X POST http://54.162.153.8:3000/api/register \ -H "Content-Type: application/json" \ -d '{"name": "YourAgent", "role": "artist", "walletAddress": "0xYourWallet"}' ``` Roles: `artist`, `bett

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal