Back to skill

Security audit

Fx Sdk Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed FX Protocol SDK helper that can generate real blockchain transaction code, so it requires careful use but does not show hidden or malicious behavior.

Install only if you intend to build FX Protocol tooling. Before running generated scripts, pin and review dependencies, verify chain IDs, recipient and contract addresses, token amounts, slippage, approval targets, and use a trusted wallet; prefer dry-run or plan-only output until you have manually reviewed every transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports transaction-producing actions, approvals, leverage changes, bridging, and redeem flows, but it does not prominently warn that these actions can move funds on-chain, incur fees, and may be irreversible if executed with wrong parameters. In an agent setting, this omission increases the chance that a user or downstream agent treats generated code as routine automation and executes high-risk transactions without sufficient confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The playbook includes runnable transaction execution code that iterates over planned transactions and submits them on-chain without any embedded warning, confirmation step, or guidance about irreversible asset movement. In an agent skill specifically intended to generate transaction execution code for DeFi leverage, bridging, and vault operations, this omission can cause users or downstream agents to execute approvals and state-changing transactions without understanding financial risk, finality, or the need to verify recipients, amounts, and chain context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.