Back to skill

Security audit

Dexie

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Dexie.space API client for Chia DEX market information, with dependency hygiene caveats but no evidence of malicious behavior.

Before installing, understand that this skill sends Dexie-related queries to the public Dexie.space API and returns market data that should not be treated as financial advice. For best supply-chain hygiene, install from the included lockfile or review the resolved npm dependencies before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill instructs the agent to invoke Dexie handling for broad natural-language requests about 'Chia DEX, trading, or token prices,' which can cause unintended activation from loosely related user queries. Over-broad routing increases the chance of sending user input to the skill and its external API when the user did not explicitly request it, creating unnecessary external data exposure and incorrect tool use.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "Jeff Coleman",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
96% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.6.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.