Security audit

Zhentan

Security checks across malware telemetry and agentic risk

Overview

Zhentan is a coherent crypto security co-signer, but it gives chat-driven authority to execute on-chain transactions and change security controls without enough visible safeguards.

Install only if you trust the Zhentan service with the relevant Safe and have verified server-side authorization, transaction previews, audit logs, secret revocation, and safeguards for disabling screening or changing rules. Start with low-value assets or limited permissions before granting authority over important wallets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description frames Zhentan as a transaction review/co-signer tool, but the documented commands also let the agent change global limits, risk thresholds, learning behavior, and create/update/delete security rules. That materially expands authority from reviewing transactions to rewriting the security policy that governs future approvals, which could let a compromised or overly-trusting agent weaken protections and enable unsafe auto-approvals.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The statement that the agent handles owner commands by 'execute scripts' is dangerous because it introduces open-ended code execution behavior unrelated to the narrowly scoped API workflows otherwise described. In a Telegram-driven security co-signer context, ambiguous script execution could be abused to run unintended commands, bypass intended API controls, or expand the blast radius beyond transaction handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The approve flow directly co-signs and executes an on-chain transaction but does not require an explicit user-facing warning that execution may be irreversible and may transfer assets immediately. In a wallet/co-signer skill, missing this warning increases the chance of accidental loss from misclicks, social engineering, or misunderstanding of what 'approve' does.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill allows screening to be turned off without a clear warning that this disables an important safety control and could permit risky transactions to proceed without analysis. Because the product is explicitly a security agent, disabling screening substantially changes the user's protection posture and should be treated as a sensitive action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal