Back to skill

Security audit

Agentsmint

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AgentsMint NFT integration, but it enables financially meaningful blockchain and marketplace actions without clear confirmation safeguards.

Install only if you want an agent to manage NFTs through AgentsMint on Base. Require a separate confirmation before any deploy, mint, buy, list, purchase-confirmation, or ownership-transfer step, including exact wallet, chain, contract, recipient, listing or collection ID, price, gas estimate, transaction hash, and ownership setting. A dedicated low-balance wallet is safer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill's activation guidance is broad enough to trigger on common NFT-related requests without clearly restricting when autonomous blockchain actions are appropriate. In a skill that can create collections, deploy contracts, and facilitate purchases, ambiguous invocation boundaries increase the chance of unintended financial or on-chain actions from loosely related user prompts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation walks the agent through purchase, minting, listing, and contract deployment flows without prominent warnings that these actions can be irreversible, transfer value, affect asset ownership, and require gas or other transaction costs. In blockchain contexts, omission of explicit consent and risk disclosures is dangerous because an agent may proceed with financially meaningful on-chain steps based on routine instructions or incomplete user understanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.