Luzia Crypto API

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Luzia crypto market-data skill that uses a Luzia API key and network API calls, with no hidden code or account-changing behavior found.

Install only if you want Luzia as a crypto market-data source. Keep the Luzia API key private, prefer environment variables or a secrets manager over hardcoding, monitor API usage and paid-plan WebSocket limits, and do not provide exchange trading keys, wallet secrets, or unrelated credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill repeatedly instructs users to place a live API key in Authorization headers and example code, but never warns against hardcoding, logging, or sharing that credential. In a user-invocable integration skill, this omission can lead to accidental credential exposure in source code, chat transcripts, screenshots, or telemetry, enabling unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal