Security audit

Apex Evolution Insight Institutional

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-signal skill is coherent, but it lets an agent use a wallet private key for automatic $30 paid calls without clear confirmation or spending limits.

Install only if you are comfortable allowing an agent to use an EVM wallet key for paid x402 calls. Use a dedicated low-balance Base wallet, expect $30 per call before discounts, and require your agent to ask before every paid request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to use an environment-provided EVM private key to make an x402-authenticated request and states that payment authorization happens automatically, but it does not present any explicit warning, consent gate, spending limit, or key-handling precautions. This creates a real risk of unintended financial spend and unsafe exposure of a highly sensitive credential in an agent context, especially because the skill is commercial and normalizes direct wallet-backed payment execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal