Back to skill

Security audit

Regime Transition

Security checks across malware telemetry and agentic risk

Overview

This skill is a paid crypto-signal integration that clearly describes its endpoint and per-call price, but it asks agents to use an EVM private key for automatic wallet-based payments without built-in spending controls or explicit per-call user consent.

Review before installing. Use only a dedicated low-balance wallet, understand that each invocation may spend USDC on Base mainnet, and avoid enabling this skill for recurring or autonomous use unless you have separate spending limits and monitoring in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to use an EVM private key from the environment to perform automatic x402 payment authorization, but it does not clearly warn the user that invoking the skill can spend funds from the linked wallet. This creates a real risk of unintended monetary loss and unnecessary exposure of highly sensitive wallet credentials, especially in an agent setting where calls may be triggered automatically or repeatedly.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.