Back to skill

Security audit

Grid Health

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid trading-signal skill, but users should understand that using it can automatically spend wallet funds per request.

Install only if you intend to let an agent make paid x402 requests to APEX Runner. Use a dedicated low-balance wallet or spending controls, verify the per-call cost before automated use, and avoid reusing a wallet that holds significant funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to make an x402-authenticated request using an EVM private key and states that payment authorization is handled automatically, but it does not present a clear, prominent warning that each invocation can directly spend wallet funds. This creates a real risk of unintended onchain payment by users or agents who may interpret the call as a normal free HTTP request, especially because the skill emphasizes 'No API key, no account, no subscription required' rather than the spending implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.