Security audit

Trading Intelligence Bundle

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid crypto trading-signal request, but users should use an isolated low-balance wallet because it requires an EVM private key for automatic x402 payments.

Before installing, use a dedicated low-balance Base wallet funded only with the USDC you are willing to spend, avoid reusing a primary wallet private key, and remember each call can trigger an automatic paid request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to supply an EVM private key to a third-party paid request flow and emphasizes that payment authorization happens automatically, but it provides no warning about the sensitivity of the key, the spending implications, or the need to scope and protect wallet usage. In agent environments, this can lead to unintended on-chain payment authorization, exposure of highly sensitive signing material, and unsafe use of a privileged wallet for repeated paid calls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.