Security audit

Regime

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid market-signal lookup, but users should use a dedicated low-balance wallet because it requires an EVM private key for x402 payments.

Install only if you want an agent to make paid requests to this market-signal service. Use a dedicated low-balance EVM wallet on Base, understand the listed per-call cost before invoking it, and avoid using a private key that controls substantial funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using an EVM private key and states that payment authorization is handled automatically, but it does not prominently warn that each call can spend wallet funds. Because the skill explicitly requires `EVM_PRIVATE_KEY` and quotes per-call pricing, an agent could trigger paid requests without meaningful user awareness or confirmation, creating a real risk of unintended financial loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.