Security audit

Signal Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid x402 call for a trading-signal endpoint, with no hidden code or persistence in the artifact.

Install only if you are comfortable giving the agent access to a dedicated low-balance EVM wallet for paid calls on Base mainnet. Treat each use as spending wallet funds, verify the endpoint and cost before use, and do not use a primary wallet or broad-purpose private key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires access to an EVM private key and initiates x402-authenticated paid requests, but the usage description does not prominently warn that invoking the skill can authorize wallet-backed spending. This can mislead users or downstream agents into treating the call like a normal unauthenticated API request, increasing the risk of unintended charges and unnecessary exposure of a highly sensitive secret.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.