Security audit

Liquidation Magnet

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pay-per-call API helper that uses a wallet key for small x402 payments, with wallet and spending risks users should manage carefully.

Install only if you are comfortable letting the agent make x402 payments from a wallet. Use a dedicated low-balance wallet, avoid storing or pasting the private key in chat, configure X402_POLICY_PATH with per-call and daily caps plus a recipient allowlist, and keep X402_AUTOPREFLIGHT enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an EVM private key directly for x402-authenticated paid requests, but it does not provide any explicit warning that this credential authorizes spending or that misuse could expose wallet funds. In this context, the key is both a sensitive secret and a payment instrument, so encouraging direct use without strong handling guidance increases the risk of accidental fund loss, unsafe key storage, or overbroad agent access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal