KaspaCom DeFi MCP

Security checks across malware telemetry and agentic risk

Overview

This is a coherent DeFi skill, but it can direct wallet-backed mainnet transactions without clearly requiring confirmation or warning about irreversible fund-moving actions.

Only install this if you intend to use an agent with DeFi tools. Use testnet first, provide only a dedicated low-balance wallet key, and manually confirm every swap, borrow, liquidity change, or launchpad purchase before it is submitted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states that write actions require a wallet key, but it does not clearly warn that these operations can create real, irreversible blockchain transactions affecting user funds. In an agent-driven context, this omission is dangerous because users may treat commands as informational or low-risk while the agent is actually capable of swaps, borrowing, liquidity actions, or launchpad purchases on live networks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal