Security audit

Morpho CLI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Morpho CLI guide for querying protocol data and preparing unsigned transactions, with financial-risk guidance but no evidence of hidden execution or credential use.

Install only if you are comfortable running the external Morpho npm CLI and sharing wallet addresses with it. Treat outputs as sensitive financial data, verify chain IDs, contract addresses, amounts, approvals, borrow terms, and simulation results, and never sign any transaction unless you have reviewed it in your wallet and understand the on-chain effect.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This documentation explicitly instructs consumers to use an ordered array of unsigned transactions to sign and send for actions like deposit, withdraw, supply, and borrow, but it does not prominently warn that these are real on-chain transactions that can move assets, create debt, or require token approvals. In a wallet-integrated or agent-driven context, that omission can normalize automatic execution and increase the risk of users or downstream tooling signing value-bearing transactions without adequate confirmation or risk review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal