Security audit

Funding Rate Hl

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed paid x402 workflow; it can spend from a wallet, but that behavior fits its stated purpose and includes user-confirmation guidance.

Install only if you intend the agent to make paid x402 requests. Use a dedicated low-balance wallet, keep the private key out of chats/logs, review the exact USDC amount before each generation, and do not let the agent sign payments without clear approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly requires an EVM private key and states that the x402 client will handle payment authorization automatically, but it does not clearly warn the user that providing that key enables real wallet-backed paid requests. This can cause unintended spending from the user's wallet, especially because the skill presents the flow as frictionless ('No API key, no account, no subscription required') and emphasizes low per-call pricing rather than authorization risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.