Security audit

Regime Confluence Institutional

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed paid crypto-signal API wrapper, but users should treat each use as a real wallet-funded transaction.

Install only if you intend to spend USDC from an EVM wallet on Base for each invocation. Use a dedicated low-balance wallet, keep EVM_PRIVATE_KEY out of prompts and logs, and configure your agent to ask before making paid calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill clearly describes an x402-authenticated request that will charge the user's EVM wallet, but it does not present a prominent warning that invoking the skill spends real funds. In an agent context, users may trigger the skill expecting data retrieval only, creating a risk of unexpected financial loss through automatic payment authorization.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill requires an EVM private key via environment variable but does not include strong guidance on secure handling of wallet credentials. In practice, exposing or mishandling this key could allow unauthorized transactions and full compromise of the associated wallet, which is more serious than ordinary API key leakage because it directly controls funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.