Agentcredit

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed crypto microloan and x402 payment facilitator, but it can create real USDC debt when intentionally connected to an agent wallet.

Install only if you intentionally want an agent wallet to use AgentCredit for Base USDC microloans or x402 payment settlement. Treat facilitator mode as real borrowing: use test amounts first, set wallet spending controls, monitor outstanding loans and fees, and avoid giving an agent unrestricted signing or payment authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly promotes a mode where an agent can incur debt automatically during x402 settlement with 'no interruption' and 'no human in the loop,' but it does not present a prominent end-user warning or consent mechanism at the point of integration. In an agent-skill context, this is dangerous because integrators may enable the facilitator and unintentionally allow autonomous borrowing, creating financial liability, unexpected fees, and repeated debt accumulation before an operator notices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal