Security audit

A.I. Cheese

Security checks across malware telemetry and agentic risk

Overview

This skill matches its paid-messaging purpose, but it can automatically spend real USDC from a raw wallet key without built-in caps or per-payment approval.

Install only if you are comfortable with a skill that can spend real USDC. Use a dedicated low-balance wallet, avoid reusing personal or treasury keys, keep AGENT_PRIVATE_KEY out of logs and shared shells, manually review each send, and avoid sending secrets or regulated data through the third-party messaging service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup instructions tell users to export a funded private key directly into an environment variable but provide no warning about the sensitivity of that credential or the financial consequences of exposure. A funded blockchain private key is effectively direct access to assets, so any leakage via logs, subprocesses, debugging, shell history, or broader env access can lead to irreversible theft. The danger is amplified here because the skill is explicitly designed to spend funds automatically.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill prominently advertises sending paid messages and states that the bundled script handles the payment flow automatically, but it does not place a clear warning near the usage paths that actions incur real monetary charges. This can cause accidental spending by users or agents, especially when the command examples and automation framing make the flow appear routine. In context, the risk is more serious because every send operation can trigger on-chain payment behavior.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script loads `AGENT_PRIVATE_KEY` directly from the environment and immediately uses it to sign on-chain USDC transfers to addresses provided by the remote payment-requirements response. In this skill context, that means a compromised/misconfigured server or malicious override of `AICHEESE_SERVER` could induce real asset transfers, making sensitive key handling and transaction validation especially important.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal