Back to skill

Security audit

Moralis OpenAPI Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, read-only Moralis wallet-data integration with privacy and API-key handling considerations but no evidence of hidden or harmful behavior.

Install this only if you intend to query EVM wallet and token data through Moralis. Use a dedicated Moralis API key, avoid analyzing wallets you are not authorized to profile, keep history and swaps queries narrow, and review or pin the OpenAPI schema before linking from a remote URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This OpenAPI schema defines multiple outbound calls that transmit wallet addresses and related query parameters to Moralis, but the file provides no user-facing disclosure, consent mechanism, or privacy warning. Even though the API is read-only and targets public blockchain data, wallet addresses are still sensitive from a privacy and profiling perspective because they can be correlated with balances, history, swaps, and net worth through a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.