Back to skill

Security audit

Optimal Order Routing

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent paid trading-signal integration, but it asks an agent to use an EVM private key for automatic wallet-based payments without strong consent or spend-limit guidance.

Install only if you are comfortable letting your agent make paid x402 requests. Use a dedicated low-balance wallet, confirm the expected $0.20 or discounted per-call cost before use, and avoid exposing a primary trading wallet private key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to make a paid x402-authenticated request using an EVM private key, but it does not prominently warn that the call can spend wallet funds and link the wallet to request activity. Because the payment is described as automatic and frictionless, a user or downstream agent could invoke it without understanding the financial and privacy implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.