Back to skill

Security audit

x402 OSINT

Security checks across malware telemetry and agentic risk

Overview

The skill’s wallet-based paid API behavior is disclosed and aligned with its video/payment purpose, but users should treat the wallet key and submitted identity data carefully.

Install only if you are comfortable using a wallet for paid API calls. Use a dedicated low-balance wallet, avoid pasting a primary private key, review the exact prompt/cost before approving payment, and assume submitted usernames, prompts, media URLs, and agent identity details may be visible to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires an `EVM_PRIVATE_KEY` and enables automatic paid network calls, but the documentation does not clearly warn users about the sensitivity of the private key, the trust boundary of the remote service, or the privacy and spending implications of sending usernames/emails to a third-party endpoint. In an agent setting, this can lead to unintended fund usage, disclosure of sensitive lookup targets, or unsafe key handling if users paste production wallet credentials without understanding the risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.