openscan-blockchain-exploration

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only blockchain analysis skill that uses the OpenScan CLI and optional RPC/API credentials, with privacy and secret-handling caveats but no hidden or destructive behavior found.

Install only if you are comfortable adding the OpenScan CLI globally and sending blockchain lookup requests to public or third-party RPC/API providers. Prefer environment variables or a secret manager for API keys, avoid putting real keys directly in pasted commands, use a trusted RPC for sensitive investigations, and never provide wallet seed phrases or private keys because this skill should not need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to supply an Alchemy API key via command-line flag or environment variable but does not warn about credential handling risks such as shell history exposure, process listing leakage, logs, or accidental inclusion in transcripts. In an agent setting, this is more dangerous because models may echo commands, store tool invocations, or reveal secrets in outputs, increasing the chance of credential disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal