Security audit

Bb Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pay-per-call BTC dominance API helper, with the main caution that it uses an EVM private key to authorize USDC payments.

Install only if you are comfortable letting the agent use an EVM private key for x402 payments. Use a dedicated low-balance wallet with only the USDC you intend to spend, and avoid reusing a wallet that holds significant funds or unrelated assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an environment-provided EVM private key to make an x402-authenticated request and states that payment authorization is handled automatically, but it does not prominently warn about real financial spend, wallet risk, or safe key handling. In an agent context, this can lead to unintended on-chain payment attempts or unsafe exposure/use of a sensitive signing key, especially if the user assumes the skill is read-only market data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal