Security audit

Execution Window Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and not malicious, but it asks an agent to use a raw wallet private key for automatically paid requests, so users should review it carefully before installing.

Install only if you are comfortable letting an agent make paid x402 requests from an EVM wallet. Use a dedicated low-balance wallet, track the $0.20-per-call pricing and discounts, and avoid exposing a primary wallet private key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that the x402 client will handle payment authorization automatically and requires an EVM private key, but it does not provide a clear user-facing warning that invoking the skill can spend funds from the user's wallet. This creates a real risk of unexpected paid requests, especially in agentic contexts where users may not realize that a simple data fetch triggers blockchain-backed charges.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal