Security audit

Apex Pulse

Security checks across malware telemetry and agentic risk

Overview

This paid heartbeat-check skill is transparent about its fixed endpoint and per-call price, but users should understand it spends from an EVM wallet key when used.

Install only if you intentionally want paid APEX heartbeat checks. Use a dedicated low-balance wallet on Base, expect a USDC charge per request, and confirm before letting an agent call the endpoint repeatedly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an environment-sourced EVM private key to make an x402-authenticated external request that automatically authorizes payment, but it does not provide an explicit warning that executing the skill spends funds and uses a highly sensitive credential. In an agent setting, this can lead to unintended paid transactions, unsafe key handling, or users invoking the skill without understanding the financial and secret-management implications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal