Security audit

Risk Assessment Bundle

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed pay-per-call crypto risk signal that uses an EVM wallet for x402 payment, with no hidden code or persistence found.

Before installing, use a dedicated low-balance wallet rather than a primary wallet, confirm you are comfortable with the listed per-call cost, and treat each use of the skill as a potential paid request to APEX Runner.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to make an x402-authenticated request using an on-chain wallet private key and states that payment authorization happens automatically, but it does not clearly warn the user that invoking the skill may spend funds and transmit wallet-derived authorization material to a third-party service. In agent environments, this can lead to unintended paid requests, silent wallet use, and disclosure of sensitive financial metadata without meaningful user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.