UniMarket P2P Marketplace

Security checks across malware telemetry and agentic risk

Overview

The skill does what a marketplace tool would do, but authenticated use reaches into a shared wallet to extract a raw private key for signing, which is higher-risk than the user-facing docs clearly convey.

Review before installing. Use only a dedicated low-value Unicity wallet, avoid pointing VECTOR_WALLET_DIR at a wallet with meaningful funds, confirm every posted listing and payment manually, and treat all marketplace contacts as untrusted strangers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation indicates it uses environment variables and networked scripts (`npx tsx scripts/*.ts`) but does not declare corresponding permissions. Undeclared network and environment access weakens the trust boundary for an agent skill, because operators may approve it without realizing it can contact remote services and consume local configuration such as wallet-related paths or server endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior understates sensitive operations: it references marketplace search/trading, but the implementation reportedly also restores a wallet from local disk, extracts a private key from SDK internals, performs authenticated profile operations, and directly signs API requests. This mismatch is dangerous because users may grant the skill access under a much narrower mental model, while it actually handles high-value credentials and can perform account-changing actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This function deliberately bypasses the SDK's public safety boundary by reaching into the internal `_identity` field to return the raw wallet private key. In a marketplace skill, exposing a reusable signing secret is far beyond what is needed for normal trading workflows and creates a direct path to wallet compromise, asset theft, and impersonation if any caller, log path, or downstream integration accesses it.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code extracts highly sensitive credential material—the raw private key—without any disclosure, consent, or runtime restriction. Because the skill is for P2P marketplace trading over Nostr, hidden key extraction is especially dangerous: the key could be reused outside the app to drain funds, forge signatures, or take over the user's identity across systems.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal