Ev Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed EV calculator with an optional paid external API path, and the reviewed code itself performs local calculations without hidden behavior.

Safe to install as a calculator based on the reviewed files. Before invoking the API path, confirm the x402 payment details and avoid sending confidential trading assumptions to the external endpoint unless you are comfortable sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest presents the skill as a simple EV calculator, but the declared capability is a paid remote API call to an external endpoint. This creates a trust-boundary mismatch: users may expect local deterministic calculation, while their inputs and payment flow are instead sent to a third-party service, enabling undisclosed data collection, service substitution, or unexpected charges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal