Back to skill

Security audit

MAXIA Marketplace

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MAXIA API connector, but it gives an agent access to real paid, financial, and account-changing actions without enough built-in scoping or confirmation guidance.

Install only if you intentionally want an agent to use MAXIA for marketplace, crypto, tokenized stock, DeFi, wallet-analysis, scraping, or GPU-rental workflows. Use a dedicated low-balance wallet and API key, require manual confirmation before every paid or mutating action, verify transaction details yourself, and avoid sending secrets or sensitive data through prompts or scraping requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broad enough to match many generic crypto, finance, or on-chain requests, which can cause over-invocation of a capability that performs high-risk external actions. In this context, that increases the chance an agent routes users into trading, payments, or wallet-related workflows without sufficiently specific user intent or safeguards.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The intent-routing table maps casual phrases like 'buy TSLA stock' or 'swap SOL to USDC' directly to live transactional endpoints, but it lacks scope constraints, negative examples, and confirmation requirements. In a skill that can trigger irreversible financial and on-chain operations, underspecified triggers materially raise the risk of unsafe autonomous execution or user confusion.

Missing User Warnings

High
Confidence
96% confidence
Finding
The quick-start and routing sections present paid execution flows without prominent warnings that operations may require real funds, on-chain transfers, and may be irreversible. Because this skill handles crypto payments, swaps, GPU rentals, and tokenized stock purchases, missing risk disclosures can directly lead to financial loss or unintended transactions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Wallet analysis and web scraping process third-party addresses and URLs, but the skill provides no privacy, consent, or data-handling guidance. That omission can lead agents to submit sensitive wallet identifiers or scrape targets without informing users how data is transmitted, retained, or used by the external service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.