Crypto Scope

Security checks across malware telemetry and agentic risk

Overview

This skill performs crypto analysis, but it also embeds payment credentials and can charge a supplied user through SkillPay without a separate confirmation step.

Review before installing. Do not run the setup or publish scripts unless you maintain this skill and have inspected the diffs. Treat the bundled SkillPay key as exposed, replace it with a secure secret, and only pass a real user ID if you intend SkillPay balance checks and per-call charges.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script hardcodes what appears to be a live SkillPay API key and echoes part of it to the terminal, exposing sensitive credentials in source control, local shells, screen recordings, and logs. In a payment-related skill, embedded credentials materially increase the risk of unauthorized API access, account misuse, and downstream compromise of billing or skill-management operations.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module is presented as a crypto price/analysis assistant, but it also performs account-balance checks and charges through a third-party billing API. That mismatch reduces informed consent and increases the chance that users invoke financial operations they did not reasonably expect from the stated skill purpose.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code introduces external billing capability that is not obvious from the apparent crypto-analysis purpose, creating a hidden secondary function involving financial transactions. Hidden monetization paths are dangerous because they can surprise users and cause unauthorized or poorly understood charges and data transfers.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file hardcodes a third-party billing endpoint, API key, and skill identifier, enabling payment processing without any accompanying manifest or declared scope. This is dangerous because embedded billing credentials can be abused by anyone with code access to query balances or charge users, and the undeclared payment capability increases the risk of unauthorized monetization and data transfer.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide instructs the user to execute a local setup script and then publish a new version externally, but it does not clearly warn that these steps can modify repository files and push changes to a public distribution channel. In a security-sensitive workflow, omission of change-review guidance can cause users to publish unintended code or configuration changes, especially when the document also includes payment-related setup steps and credential context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document states that each call will automatically incur charges and even encourages monetization, but it does not present a prominent upfront warning about financial consequences before use. This can lead users or operators to enable and publish the skill without fully understanding that routine invocations trigger real per-call billing, creating a risk of unexpected charges and abusive overuse.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad, common terms such as 'crypto', 'bitcoin', and generic analysis phrases, which can cause the skill to activate in conversations where the user did not explicitly request it. Overbroad activation increases the chance of unwanted tool use, irrelevant financial guidance, and unintended exposure of user prompts to the skill pipeline.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Embedding and displaying an API key is a real credential-exposure issue, even if only a prefix is shown, because the full key is still present in the file and likely accessible to anyone with repository or filesystem access. Given this script is for configuring a monetized SkillPay integration, leaked credentials could enable fraudulent changes, service abuse, or unauthorized access to operational/payment functionality.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill transmits user identifiers to a billing provider and performs charges automatically as part of routine commands, without point-of-action confirmation. In an agent setting, this creates a real risk of unintended purchases, silent charging, and privacy-impacting transmission of user-linked billing data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The paid price flow checks balance, sends the user identifier to a remote billing service, retrieves external market data, and then charges the user without any explicit runtime disclosure or confirmation. This is dangerous because users may incur charges and have identifiers transmitted off-platform without informed consent, which can enable deceptive billing or privacy harm.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The technical-analysis paid flow performs multiple remote requests and charges funds after processing, but does not warn the user that billing and identifier transmission will occur. In a paid skill context this creates a real risk of non-transparent charging and privacy exposure, especially because no manifest or policy is provided to justify the external processing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The signal-generation path transmits user identifiers to a billing provider and deducts funds without an explicit user-facing warning or confirmation step. Because this workflow is tied to financial/trading advice, silent charging and opaque data sharing are more sensitive and can undermine user trust while creating billing disputes or privacy complaints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal