Security audit

Capital Rotation Signal

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed pay-per-call BTC dominance API helper, with the main risk being that it uses an EVM wallet private key to authorize USDC payments.

Install only if you are comfortable letting an agent use a dedicated EVM wallet for x402 payments. Fund that wallet with only the USDC you are willing to spend, monitor repeated calls, and avoid using a wallet that holds significant funds or unrelated assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to make an x402-authenticated request using an EVM private key and states that payment authorization is handled automatically, but it does not clearly warn that each invocation can spend USDC from the user's wallet. In an agent skill context, this is dangerous because an LLM-driven agent may call the endpoint autonomously or repeatedly, causing unintended financial loss through wallet-funded micropayments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal