Emily - Your Radix Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Radix blockchain lookup skill that installs a known MCP CLI and connects to a remote Emily service, with privacy and supply-chain considerations but no evidence of hidden or destructive behavior.

Install only if you are comfortable installing mcporter from npm and sending Radix wallet addresses, .xrd domains, token IDs, and market queries to the Emily service and its listed data providers. Avoid querying addresses you consider personally sensitive unless you trust those services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill explicitly handles wallet addresses, .xrd domain lookups, transaction history, validator, DeFi, and market queries using external services such as the Radix Gateway API, CoinMarketCap, Astrolescent, Attos Earn, and the hosted MCP endpoint at ineedemily.com, but it does not clearly warn users that submitted identifiers and queries are transmitted to third parties. Wallet addresses and lookup terms can reveal portfolio composition, transaction activity, and user interests, so the lack of disclosure creates a real privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal