Back to skill

Security audit

Helius Openapi Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide purpose-aligned blockchain wallet research through Helius, with a privacy disclosure gap but no evidence of hidden, destructive, or privilege-seeking behavior.

Before installing, be aware that wallet addresses and related lookup details may be sent to Helius and could be logged by that provider. Avoid querying sensitive targets from identifiable environments, minimize query size and frequency, and review Helius data-handling terms or use a local/self-hosted alternative if operational privacy is critical.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage examples encourage querying wallet identities, balances, transfers, and funding history against a third-party service without explicitly warning that wallet addresses and associated activity are disclosed to Helius. While blockchain data is often public, linking queried addresses, operator intent, timing, and investigation targets to an external API can create privacy, compliance, and operational-security risks for users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.