Security audit

Agent Stress Index

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-signal skill is mostly transparent, but it needs Review because it asks an agent to use a wallet private key for automatic paid calls without built-in spending controls.

Review before installing. Use only a dedicated low-balance wallet, assume each call can spend USDC on Base, confirm costs before first use, and avoid exposing a primary wallet private key to an agent environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an on-chain private key from EVM_PRIVATE_KEY to make an x402-authenticated paid request, but it does not clearly warn that this can spend wallet funds and expose transaction/payment metadata. In an agent setting, describing automatic payment handling without explicit consent boundaries, spending limits, or privacy warnings increases the risk of unintended financial charges and unsafe secret use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal