Go4Me

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can submit real XCH wallet transfers and its recipient lookup is not tightly scoped enough for that level of risk.

Review before installing. Use only normal Twitter-style handles, verify the full resolved XCH address and amount before confirming, treat wallet certificate/key paths as sensitive secrets, and install the sage-wallet dependency only from a source you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill facilitates cryptocurrency transfers but does not clearly warn users that XCH transactions are irreversible. This increases the risk of user harm from mistakes, phishing via mistaken identity, or sending funds to an incorrect resolved address, especially since the skill resolves recipients from third-party profile data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation shows use of local wallet certificate and key material in a request flow without any warning about the sensitivity of those credentials. In this context, omission matters because the skill handles value transfer through local wallet authentication, and unsafe handling or logging of `$CERT`/`$KEY` could expose wallet access or normalize insecure operational practices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal