Security audit

Mean Reversion Scan

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for paid EVM network requests, but it uses a raw wallet private key with spend authority without enough disclosed safeguards.

Install only if you understand that EVM_PRIVATE_KEY can authorize spending. Use a dedicated low-balance payment wallet, set strict funding limits, avoid primary trading or custody wallets, and require clear confirmation before any paid request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to use an EVM private key from the environment to authorize a paid network request, but it does not clearly warn that this key is highly sensitive or that the request can spend wallet funds. Even if the payment flow is legitimate, encouraging automatic use of a wallet credential for metered calls increases the risk of unintended spending, secret exposure through downstream tooling, or unsafe reuse of a trading wallet key.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal