Security audit

Regime Transition Probability Institutional

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only paid trading-signal skill that clearly requires an EVM wallet key and discloses per-call pricing, but users should treat the wallet key and automatic payment flow carefully.

Install only if you intend to let an agent make paid x402 requests to this APEX Runner signal. Use a dedicated low-balance wallet rather than a primary wallet, keep EVM_PRIVATE_KEY private, and monitor calls because each request may authorize a charge.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires an EVM private key and states that payment authorization is handled automatically, but it does not clearly warn users that invoking the example/request can spend wallet funds on paid on-chain or wallet-authorized requests. In a skill ecosystem, users may treat documentation snippets as safe to run, so omission of an explicit spending-risk warning can lead to unintended charges and exposure of a highly sensitive credential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.