Security audit

Agent Conviction Score

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid market-narrative API helper, but it asks an agent to use an EVM private key for automatic paid x402 requests without clear spending controls.

Review before installing. Use only a dedicated low-balance wallet for EVM_PRIVATE_KEY, avoid wallets holding important funds, and monitor or cap usage because each agent invocation can trigger a paid request and expose wallet-linked usage metadata to the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to make an x402-authenticated request that automatically authorizes payment using an environment-provided EVM private key, but it does not warn the user that invoking the skill can spend on-chain funds and reveal wallet-linked usage metadata to a third-party service. Because the request is framed as automatic and frictionless, an agent or user could trigger real monetary charges without explicit informed consent, creating a clear spending and privacy risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal