Security audit

Btc Price Tick

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid BTC price feed, but it asks the agent to use an unrestricted EVM private key for automatic per-call payments, including in polling loops.

Review before installing. Use only a dedicated low-balance wallet or delegated payment credential, understand that each request may spend funds, and avoid unattended polling unless you have set external rate limits or spending controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using an environment-provided EVM private key and states that payment authorization is handled automatically, but it does not clearly warn that each call can spend on-chain funds and disclose wallet-linked metadata to a third-party service. In an agent setting, especially with high-frequency polling loops explicitly encouraged by the skill, this can lead to unintended recurring charges and privacy exposure without meaningful user awareness or consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal