Sui Sec

Security checks across malware telemetry and agentic risk

Overview

This Sui transaction guard is purpose-aligned, but it overstates its safety checks and can approve real blockchain transactions after an incomplete audit.

Install only if you treat this as a helper rather than a complete transaction safety tool. Before signing, manually verify the active Sui wallet, exact command, recipients, asset amounts, object changes, call target, gas, and dry-run output; do not rely on SAFE TO SIGN alone.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to run shell commands (`python3 main.py ...`, `sui client call --dry-run`, and later real `sui client ptb ...`) while declaring no permissions. That mismatch is dangerous because it hides the skill's execution capability from any permission-review or policy layer, increasing the chance that an agent executes external commands without appropriate approval or sandboxing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a true security issue because the skill claims to be a transaction safety gate but, per the finding, its actual behavior is much weaker: it accepts broad `sui` commands, performs only limited cost comparison, and does not meaningfully verify object hijacking or malicious behavior. In a security-oriented skill, overclaiming protection is especially dangerous because users may rely on it to approve risky blockchain transactions under a false sense of safety, leading to asset loss.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill claims it compares simulated transaction effects against user intent and blocks malicious behavior, but the implementation only checks aggregate SUI loss against an intended spend threshold. It does not validate recipients, transferred object types, package/function targets, coin transfers, approvals, or other side effects, so a malicious transaction can still be labeled safe if it stays within the spend threshold.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code prints 'SAFE TO SIGN' even though the advertised asset-hijacking/object-ownership checks are not implemented; the relevant section is just a placeholder with pass. In a security tool whose purpose is to decide whether a blockchain transaction is safe, false reassurance is dangerous because users may authorize malicious transactions based on incomplete analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal