Security audit

Live Fill Rate

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid crypto-wallet API helper that discloses its wallet requirement and per-call price, and I found no hidden code or persistence.

Install only if you are comfortable giving the agent access to an EVM private key for paid x402 requests. Use a dedicated low-balance wallet, expect each invocation to spend USDC on Base according to the listed per-call price, and confirm the price before repeated or automated use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using the user's EVM private key, and notes that payment authorization is handled automatically, but it does not present a prominent, explicit warning that invoking the skill spends wallet funds. In an agent context, this can lead to unintended paid transactions because users may interpret the call as a normal API request rather than a chargeable wallet-authorized action.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal