Crypto Alert Aggregator

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it advertises real-time crypto and Twitter trading alerts while the code generates random mock data without telling users.

Treat this as experimental only. Do not rely on its alerts for trading or research decisions, and do not provide real API keys until the publisher clearly labels simulation mode, implements real data-source calls, documents webhook data flow, and provides a way to stop streaming pollers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation advertises an ALERT_WEBHOOK for external notifications without warning that alert contents may be transmitted to third-party endpoints. Because the skill aggregates potentially sensitive trading signals, behavioral preferences, or proprietary monitoring outputs, silent webhook delivery can cause data leakage, compliance issues, or unreviewed exfiltration to attacker-controlled URLs if misconfigured.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal