Security audit

Apex Alpha Score

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid crypto API integration, but it can spend USDC using an EVM private key without clear per-call user confirmation or spending limits.

Install only if you intentionally want an agent to buy this trading signal. Use a dedicated low-balance wallet, review each request before it is made, and avoid exposing a primary wallet private key through EVM_PRIVATE_KEY.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to use an environment-provided EVM private key to make an authenticated paid network request, but it does not explicitly warn the user that invoking the skill can spend funds from the wallet. Even if the x402 client handles payment as designed, this creates a real risk of unintended on-chain spending or repeated charges if the skill is triggered automatically or without clear user consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal