Security audit

Oi Divergence

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent paid crypto-signal integration, but it asks an agent to use a live EVM private key for automatic paid requests without an explicit per-call confirmation step.

Only install this if you are comfortable giving the agent access to a funded EVM wallet key for x402 payments. Use a dedicated low-balance wallet, expect each call to cost about $1.00 unless a discount applies, and require confirmation before any request that spends funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using an EVM private key and states that payment authorization is handled automatically, but it does not clearly warn that invoking the endpoint will spend wallet funds. Because the required environment variable is a live private key and the endpoint is priced per call, an agent or user could trigger unintended on-chain or wallet-authorized payments without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal