Back to skill

Security audit

Grid Levels

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid x402 crypto data signal that is mostly coherent, but it asks for a wallet private key and enables automatic payments without enough user-control or key-safety warnings.

Review carefully before installing. Use only a dedicated wallet with limited USDC, keep EVM_PRIVATE_KEY in secure secret storage, avoid logging or hardcoding it, and require explicit approval plus a max amount before each paid call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users or agents to supply an EVM private key to an external x402 client for paid requests, but it does not warn that this credential controls wallet funds and may authorize spending. In this context, the private key is both a secret and a financial authorization mechanism, so omitting clear handling and spending warnings creates a real risk of unsafe key use, overbroad wallet exposure, or unintended paid transactions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.