Etherscan Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed helper for using Etherscan MCP through UXC; it asks for expected API-key and network access but does not hide unrelated behavior.

Install this only if you intend to use Etherscan MCP through UXC. Use a dedicated Etherscan API key, confirm the UXC auth binding is limited to mcp.etherscan.io/mcp, inspect tool help before calls, and require explicit confirmation before any contract verification action.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a mismatch because the description presents the skill as an operational tool for Etherscan MCP-based blockchain analysis, but the actual code shown only performs static validation of the skill's files and documentation. It does not check balances, inspect transactions, analyze token holders, look up contracts, authenticate to Etherscan, or access the MCP endpoint. Its primary purpose is build/package validation, which differs materially from the declared runtime investigative purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal