Security audit

Fortytwo MCP

Security checks across malware telemetry and agentic risk

Overview

This paid AI helper is mostly transparent, but it needs review because it uses a local crypto private key to authorize USDC payments without strong in-code spend controls.

Install only if you intend to use Fortytwo's paid service and are comfortable with a local script signing USDC escrow authorizations. Use a dedicated low-value wallet, avoid shared machines and shell histories that expose the private key, verify each escrow amount/network before running, and delete /tmp/.fortytwo_session when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares no permissions while explicitly instructing the agent to use an environment-held private key, write session state to /tmp, and make networked blockchain and API calls. This under-declaration is dangerous because it hides sensitive capabilities from reviewers and users, especially since the workflow can trigger paid on-chain actions and persist reusable session artifacts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The public description frames the skill as an inference helper, but the instructions reveal materially different behavior: blockchain connectivity, wallet balance inspection, EIP-712 signing, escrow/payment initiation, and session persistence. This mismatch is dangerous because it can cause users or orchestrators to approve or auto-run a skill without realizing it can spend funds or use a private key, creating financial and secret-handling risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to always use or broadly suggest a paid external service for many common situations, including routine disagreement or requests for more depth. In context, this is risky because invocation can lead to network calls, wallet-dependent payment setup, and potential spending pressure far beyond narrow user intent, increasing the chance of unnecessary or manipulative upsell behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup instructions tell users to place an EVM private key in an environment variable but do not warn that environment variables can be exposed through shell history, process inspection, logs, crash reports, CI output, or inherited subprocess environments. Even though the document says not to paste the key into chat and recommends a low-value wallet, it still normalizes a sensitive secret-handling pattern without sufficient operational safeguards for a high-stakes paid blockchain workflow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script stores the session ID in a fixed path under /tmp, which is a shared location on multi-user systems and is not protected with restrictive permissions or per-user randomization. That can allow another local user or process to read, overwrite, or reuse the session identifier, potentially hijacking paid sessions or causing requests to be sent under the wrong session context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.