Back to skill

Security audit

Ai Bounty Claim

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AI bounty claim helper, but it deals with wallet signing so users must verify transactions and protect wallet secrets.

Install only if you intend to claim this specific AI bounty. Review the external Portkey dependency skills before using them, never paste a seed phrase or private key into chat, prefer an isolated or low-value wallet, and verify the signer, contract address, receiver, reward amount, gas note, and transaction summary before confirming any write.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples `help me claim` and `帮我 Claim。` are very broad, natural-language phrases that can easily appear in unrelated contexts, increasing the chance that this skill is selected when the user did not intend account-choice or bounty-claim handling. In a wallet and claiming flow, accidental activation can misroute users into financial/account workflows, create confusion, and increase the chance of unsafe follow-on actions or phishing-like UX patterns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example code reads a private key directly from `process.env.PRIVATE_KEY` in a wallet-claim workflow, but the surrounding markdown does not warn users about secure secret handling, key scope, or the risk of using a real funded key in copied example code. In a blockchain claim context, this increases the chance that operators will run the snippet with production credentials in unsafe environments, exposing signing authority and funds if the environment, logs, or shell history are compromised.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger examples include very broad phrases like 'help me claim' and 'claim for me', which can cause this high-impact wallet/claim flow to activate from ambiguous everyday language. In a skill that routes users into account onboarding and transaction-related actions, overly broad invocation increases the risk of accidental routing, confused-deputy behavior, or social-engineering-assisted progression into sensitive flows without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.