Autonomous Agent Skills

Security checks across malware telemetry and agentic risk

Overview

The skill's main x402 payment workflow is mostly disclosed, but the bundle also includes unrelated social-network automation instructions and broad wallet commands that can move or trade funds.

Install only if you intend to give an agent a separate, minimally funded wallet for automatic x402 payments. Do not point it at personal or high-value wallets; prefer testnet or capped balances. Review or remove the transfer, swap, and contract helpers if you only need MCP payments, and ignore/remove the bundled Moltbook skill unless you separately want autonomous social posting and messaging. Require human approval for any fund movement, token approval, contract write, bank-linking, email score lookup, or outbound social communication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The heartbeat materially expands behavior from the advertised x402 finance/payment capability into autonomous social-network activity, including checking feeds, engaging with posts, and managing DMs. In an autonomous-agent marketplace context, this is dangerous because it grants unrelated external interaction surfaces that can be abused for spam, social engineering, reputation manipulation, or covert command-and-control through a social platform.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document explicitly instructs the agent to autonomously send private messages, approve or handle conversations, and create public posts, all unrelated to the declared financial tooling. Because the skill is meant for autonomous download and use by agents, these capabilities create a direct path for unauthorized outbound communications, privacy exposure, and manipulation of third parties without clear operator intent.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The CLI documentation exposes transfer and swap commands that are not reflected in the higher-level manifest/tooling description. Hidden or undocumented asset-movement functions are especially risky for autonomous agents, because operators may approve the skill for low-value scoring/prediction use without realizing it can also transfer tokens or execute swaps.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The OpenAPI spec exposes sensitive financial and identity-related capabilities beyond straightforward stock prediction/backtesting, including bank account opening/linking and email-based identity resolution for scores. In an autonomous-agent marketplace context, these extra capabilities materially expand the skill's authority and can enable unauthorized collection of financial linkage tokens or deanonymization of users if an agent invokes them without clear user consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Email-based score lookup introduces a powerful identity-resolution feature that links onboarding-submission data to financial/reputation scores, which is more sensitive than wallet-based lookups. In an autonomous agent setting, this can facilitate privacy violations, enumeration of users by email, and access to personal scoring data without a clear need tied to the stated skill purpose.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code generates new Aptos and EVM wallets and persists objects containing private keys via saveAptosWallet/saveEvmWallet, but there is no indication of encryption, hardware-backed storage, access control, or user-confirmation safeguards. In an autonomous-agent marketplace context, giving a downloaded skill the ability to silently create and store spend-capable wallets materially increases the risk of secret exposure, unintended payments, and abuse if local storage or downstream code is compromised.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements a fully generic EVM contract caller that can invoke arbitrary functions on arbitrary contract addresses and optionally attach ETH, which materially exceeds the skill’s stated purpose of x402-protected finance and scoring tools. In an autonomous-agent marketplace context, this creates a dangerous capability expansion: any downstream agent or prompt injection that reaches this command can trigger token approvals, transfers, contract interactions, or payable calls from the skill wallet.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The write path directly submits arbitrary state-changing transactions via `walletClient.writeContract` using user-supplied contract address, function signature, and arguments. That means an autonomous consumer can be induced to grant unlimited token approvals, transfer assets, interact with malicious contracts, or invoke privileged protocol methods, all under the skill wallet’s authority.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: This file implements a full token swap capability, including quotes, approvals, and transaction execution, but the skill metadata describes stock predictions, backtests, bank linking, and scoring tools rather than asset trading. In an autonomous-agent marketplace, hidden or undocumented transaction capabilities materially increase risk because agents may invoke them without users understanding that the skill can move on-chain assets.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code can autonomously obtain quotes, approve ERC20 spend, assemble a router transaction from a third-party API, and broadcast a swap. Because the stated skill purpose does not justify on-chain exchange operations, this creates a dangerous mismatch: an autonomous agent could trigger real asset trades and token approvals in contexts where operators only expected analytics or onboarding features.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file exposes a general-purpose asset transfer capability for native tokens and arbitrary ERC20s, but the skill metadata describes payment-protected MCP tools for predictions, backtests, bank linking, and scoring rather than wallet fund transfers. In an autonomous-agent marketplace context, hidden transfer functionality is especially dangerous because an agent or integrator may import the skill expecting data/payment flow support while unknowingly gaining a primitive that can exfiltrate funds.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code performs actual on-chain transfers using walletClient.sendTransaction and walletClient.writeContract, enabling movement of ETH and arbitrary ERC20 tokens to any supplied address. That is materially broader than the stated skill purpose, and in an autonomous-agent setting it creates a direct theft or unauthorized-payment path if the script is invoked by another component, prompt, or workflow.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: * Check and set ERC20 approval for Odos router if needed */ async function ensureApproval(publicClient, walletClient, tokenAddress, spender, amount, walletAddress) { if (tokenAddress === NATIVE_TOKEN) return; // No approval needed for native token const currentAllowance = await publicClient.readContract({ address: tokenAddress,
Confidence: 93% confidence
Finding: No approval

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Options: --slippage <n> Slippage tolerance in percent (default: 0.5) --yes Skip confirmation prompt --quote-only Get a quote without executing the swap --json Output in JSON format --help Show this help message
Confidence: 88% confidence
Finding: Skip confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: tokenAddress ERC20 token contract address (optional, for token transfers) Options: --yes Skip confirmation prompt --json Output in JSON format --help Show this help message
Confidence: 90% confidence
Finding: Skip confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Examples: node src/transfer.js base 0x123... 0.01 # Send 0.01 ETH on Base node src/transfer.js base 0x123... 100 0x833589fcd... # Send 100 USDC on Base node src/transfer.js ethereum 0x123... 0.5 --yes # Send 0.5 ETH, skip confirmation `); }
Confidence: 88% confidence
Finding: skip confirmation

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal