Security audit

Btc Dominance

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pay-per-call BTC dominance API helper; the main caution is that it uses an EVM private key to authorize USDC payments.

Install only if you are comfortable letting the agent use an EVM private key for x402 payments. Use a dedicated low-balance wallet on Base with only the USDC you intend to spend, and avoid reusing a wallet that holds significant funds or unrelated assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using an on-chain private key and notes that payment authorization is handled automatically, but it does not clearly warn that invoking the endpoint can spend funds from the user's wallet. Because the required environment variable is a live EVM private key, a user or downstream agent could trigger paid calls without fully understanding the financial consequence, especially in automated or repeated execution contexts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal