Agent GoFundMe

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crowdfunding skill, but it can guide agents through real USDC payments without enough approval, limit, or credential-safety guidance.

Install only if you intend to let an agent interact with a real USDC crowdfunding service. Use a dedicated low-balance wallet and limited credentials, keep keys out of prompts, logs, screenshots, and repos, verify campaign IDs and amounts manually, and require explicit approval before any activation fee, contribution, settlement, or other money-moving action. Review the external MCP server code separately before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly documents payment-related actions such as campaign activation fees and USDC contributions, but it does not warn users that these operations can trigger real monetary transfers, fees, and irreversible blockchain settlement. In an agent context, this omission increases the chance that a user or autonomous system will invoke funding operations without informed consent or adequate approval controls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal