Spacescan

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Spacescan.io blockchain lookup skill that uses a disclosed API key and standard Node installation steps.

Install this only if you want Spacescan.io blockchain lookups and are comfortable sending queried addresses, hashes, and your Spacescan API key to Spacescan. Prefer a scoped Spacescan key and avoid putting secrets in shared shell profiles or synced dotfiles; skip npm link if you do not want global scan/spacescan commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to append the API key directly into a shell profile, which stores the credential in plaintext on disk and may expose it to other local users, backups, dotfile sync services, or accidental commits. While this is documentation rather than executable code, it normalizes insecure secret handling and can lead to credential leakage in real deployments.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal