Security audit

Momentum Status

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid crypto-signal lookup, but users should treat the wallet key and per-call charges carefully.

Install only if you are comfortable giving the agent access to an EVM wallet key for paid x402 requests. Use a dedicated low-balance wallet on Base with only the funds needed for this service, never reuse a high-value wallet private key, and expect each call to spend the disclosed amount unless discounts apply.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use an EVM private key to authorize paid x402 requests and explicitly pulls it from an environment variable, but it does not warn about wallet spend risk, key sensitivity, or the need to use a limited-purpose wallet. In this context, the skill causes real on-chain economic actions, so silent use of a signing key can lead to unintended charges or encourage unsafe credential handling practices.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal