Security audit

Apex Evolution Insight

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-signal skill is coherent, but it asks agents to use a raw wallet private key for automatic paid requests without clear spending controls or private-key safety guidance.

Install only if you are comfortable letting an agent use an EVM private key for paid x402 calls. Use a dedicated low-balance wallet on Base, expect about $15 per call before discounts, and require your agent to confirm before each request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an EVM private key from the environment to authorize an x402-paid request, but it provides no explicit warning that this can spend on-chain funds or that exposing/misusing the private key could compromise the wallet. In the context of an agent skill, this is dangerous because users may run it with a funded wallet and unknowingly authorize paid calls or broader wallet abuse if the key is reused elsewhere.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal