Agent Onchain Watch

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a wallet-monitoring helper, but users should know it sends wallet summaries to external API providers.

Install only if you are comfortable providing Etherscan and LLM provider API keys and sending analyzed wallet metadata to those services. Treat wallet addresses and transaction context as potentially sensitive, review logs if used in shared environments, and be aware that npm start runs a sample job automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The function sends wallet address, balance, recent transaction details, and derived risk flags to an external LLM provider. Onchain activity is sensitive financial metadata, and transmitting it to a third party without an explicit user-facing notice or consent can create privacy, compliance, and data-handling risks, especially if the provider logs prompts.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The fetcher logs full wallet addresses during balance, transaction, and token-transfer retrieval. While blockchain addresses are public on-chain, logging them can create unnecessary local disclosure, linking user activity to system logs and increasing privacy risk in shared or centralized logging environments.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal