Security audit

Regime Micro

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward paid market-signal integration, but it uses an EVM private key to authorize per-call payments.

Install only if you are comfortable letting an agent use an EVM wallet for paid x402 requests. Prefer a dedicated low-balance wallet on Base with only the USDC you are willing to spend, especially if the agent may call this in frequent loops.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to use the user's EVM private key for x402-authenticated requests and says payment authorization happens automatically, but it does not present a prominent warning about the financial and signing implications. This can cause users or downstream agents to trigger paid on-chain authorizations without informed consent, especially in fast agent loops where repeated calls may accumulate cost.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.