Qrcoin

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent QR Coin auction helper, but users should treat its Bankr prompts as real-money blockchain transactions.

Install only if you intend to participate in QR Coin auctions. Before signing in Bankr or a wallet, verify the official site, Base network, contract address, active token ID, URL/name, amount, gas fee, and USDC allowance. Prefer limited approvals and revoke unused allowance after bidding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill guides the user through approving USDC and sending live on-chain transactions, but it does not place a clear, prominent safety warning before those steps stating that these actions spend real funds, grant token allowance, and are irreversible once submitted. In a blockchain skill, this omission materially increases the risk of unintended financial loss or overbroad approvals because users may treat the flow as informational rather than transactional.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal