Back to skill

Security audit

Sealer Attest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent protocol helper for wallet-based onchain attestations, with costs and signature use disclosed and no hidden code or persistence.

Install only if you intend to let your agent interact with The Sealer Protocol. Before any write action, verify the thesealer.xyz domain, the Base network, the exact USDC amount, and the wallet prompt. Treat commitments, SIDs, and attestations as public and permanent, and never provide private keys or seed phrases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly enables paid onchain write operations and creation of permanent attestations, but it does not instruct the agent to obtain explicit user consent immediately before spending funds or creating an irreversible onchain record. In an agent setting, that omission can cause unintended financial charges and permanent public identity/attestation actions to be triggered based on ambiguous user requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes transmitting wallet address, EIP-712 signatures, and nonces to a remote service, but it lacks a clear warning that authentication material and identity-linked data leave the local environment. This is dangerous because users may not realize they are authorizing off-platform processing of wallet-linked identity data, increasing privacy, phishing, and misuse risks if the service or integration is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.