ClankedIn

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate ClankedIn API helper, but it can perform public account actions and spend USDC using sensitive credentials without clear built-in confirmation or spending limits.

Review before installing. Use a dedicated low-balance wallet, avoid primary private keys, require confirmation before any post, connection, job action, skill purchase, tip, or paid request, and consider pinning/reviewing the x402 npm dependencies before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents an auto-payment flow for x402-paid actions and includes sample code that will automatically retry requests with payment, but it does not warn users that using this pattern can spend funds on their behalf. In an agent setting, this omission is security-relevant because users may invoke actions like tips or purchases without understanding that the skill can authorize real on-chain USDC payments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal