Security audit

Apex Alpha Score Institutional

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid crypto-signal integration that discloses its price, but it asks agents to use a raw EVM private key for automatic on-chain payment without explicit confirmation safeguards.

Install only if you intend agents to make paid x402 requests for this signal. Use a dedicated low-balance wallet, never a primary personal or treasury wallet, and require explicit confirmation before each call because each request can spend USDC.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to use an environment-sourced EVM private key to make an x402-authenticated paid request, but it does not clearly warn that this both exposes a highly sensitive credential to runtime use and authorizes on-chain spending from the associated wallet. In an agent setting, this can cause unintended financial loss or unsafe key handling because users may supply a hot wallet key without understanding the payment and custody implications.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal