Back to skill

Security audit

XMTP

Security checks across malware telemetry and agentic risk

Overview

This XMTP agent documentation is mostly coherent, but copied examples could save untrusted files unsafely and create wallet, group, or public-storage flows without enough guardrails.

Review before production use. Treat this as developer documentation, not malware, but fix the attachment filename handling, avoid public attachment URLs unless intentional, use a dedicated low-value agent wallet, protect .env secrets, and add explicit confirmations and limits for payments and group membership changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The example returns a public gateway URL for uploaded attachment content, which can cause encrypted user attachments to become broadly accessible outside XMTP's intended delivery path. Even if payloads are encrypted, publishing stable public URLs leaks metadata, increases retention and redistribution risk, and may expose content if encryption is misused elsewhere or keys are later compromised.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The S3 example constructs and returns a direct public object URL, encouraging operators to store attachment ciphertext in a location retrievable by anyone with the link. This weakens privacy guarantees, may violate data-handling expectations, and creates durable public exposure if bucket or object permissions are misconfigured.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example registers the menu on very common inputs like "hi", which can cause the agent to trigger UI behavior during ordinary conversation rather than only on explicit user intent. In an XMTP agent context, this can lead to unwanted inline actions, confusing navigation flows, and increased risk of accidental invocation of downstream handlers such as purchase or transaction-related actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example writes a remotely received attachment to a local path using an attacker-controlled filename without warning or validation. In an agent context, attachments are untrusted input; this can lead to path traversal, overwriting local files, persistence of malicious content, or unsafe downstream processing by users or other components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows publishing attachment data to public storage without warning users about public accessibility, metadata leakage, retention, and third-party hosting implications. In a developer-facing skill, omission of these warnings is dangerous because it normalizes insecure defaults that may be copied directly into production agents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The S3 example omits notice that attachment payloads are uploaded to third-party storage and exposed through a direct URL, which can mislead implementers into believing this is a safe default. Given that this skill is specifically for building XMTP agents with attachments, developers are likely to reuse the snippet as-is, making the omission materially risky.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes broad triggers such as 'wallet calls' and 'transaction reference,' which can cause the skill to activate in contexts that are only loosely related to token transfers. In a transaction-handling skill, unintended invocation is risky because it increases the chance that transactional logic or wallet request generation is surfaced when a user did not explicitly intend to perform a financial action.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The manifest description says the skill should be used for creating groups, managing members, setting permissions, or sending welcome messages, which is fairly broad activation language without explicit exclusions or tighter triggers. In an agent-skill ecosystem, overly broad routing can cause the skill to activate in contexts involving sensitive membership or permission actions when a narrower skill would be safer, increasing the chance of unintended group-management operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example sends a user-supplied identifier directly to the external web3.bio API, which can disclose user message content or identity lookups to a third party without any notice, consent, or privacy guidance. In an XMTP agent context, identifiers may come from private conversations, so this creates a real privacy and data-sharing risk even though the code is not otherwise unsafe.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The example instructs agents to perform an external Farcaster profile lookup based on a sender address and then use the returned data in conversation, but it does not mention that this causes third-party data disclosure to the web3.bio-backed resolver. In an agent context, this can surprise users and developers by linking wallet addresses to social profiles through an external service without notice or consent, creating a privacy risk even if no direct code-execution issue exists.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description includes broad trigger language such as 'adding reactions to messages' and 'showing processing state,' which can match a wide range of normal agent tasks and cause the skill to be invoked more often than intended. In an agent routing system, overly broad activation can lead to incorrect tool selection, unnecessary message handling, and expanded attack surface if reaction-related logic is applied in contexts where it was not expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.