Handshake58 DRAIN
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about its crypto-payment purpose, but it gives an external MCP package access to a wallet private key that can spend funds.
Treat this as a high-risk financial integration. Use only a fresh low-balance Polygon wallet, never a main wallet or seed phrase, review the drain-mcp npm package/source before installing, monitor wallet activity, and close expired channels to recover unused USDC.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.