Back to skill

Security audit

juicy

Security checks across malware telemetry and agentic risk

Overview

This Juicebox developer skill is mostly coherent, but it needs review because several blockchain templates can move funds or change project control while using incomplete flows, mock data, or weak warnings.

Install only if you will treat the templates as scaffolds, not production-ready financial software. Before mainnet use, replace mock values with verified on-chain reads, simulate transactions, add explicit confirmations and fee disclosures, verify addresses/calldata and Relayr payment targets, avoid unlimited approvals unless intentional, and review any contract code before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template is presented as a deployment UI for an NFT project, but its deploy action never submits a transaction and instead only shows an alert and logs tier data. In a blockchain deployment context, this is security-relevant because it can mislead operators into believing an onchain action occurred, causing unsafe operational decisions, mistaken announcements, or follow-on transactions based on a false assumption of successful deployment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The Revnet template claims to deploy a revnet, but the deploy function only assembles config values, logs them, and instructs users to use other skills. In a financial smart-contract setting, this mismatch can deceive users into thinking an immutable treasury system was launched when no blockchain transaction occurred, creating operational and trust risks.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims Solidity is compiled in-browser, but the code sends the full source to a backend `/api/compile` endpoint. This can expose proprietary or sensitive contract code to a server the user may not expect, creating confidentiality and trust risks during a high-stakes deployment workflow.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill describes multiple fields named "currency" with different meanings, but earlier sections strongly emphasize `baseCurrency` values of 1/2 for transaction and fund-access use while later sections state terminal accounting currency must be derived from the token address. In a protocol integration skill, this ambiguity can easily cause developers to pass `1` or `2` where a token-derived `uint32` is required, leading to failed transactions, misconfigured accounting contexts, or incorrect asset handling.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The example says fund access limits use `currency: 2` immediately after the document stresses that terminal/accounting currency must be token-address-derived, which is highly likely to mislead implementers into reusing `2` in the wrong context. In a blockchain deployment/configuration skill, this kind of contradictory example is dangerous because developers often copy-paste examples directly, causing broken terminal configuration or incorrect protocol interactions for live funds.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly encourages interfaces to add their own fees and route them to an operator address, which creates a clear pattern for extracting additional value from users beyond protocol fees. In a wallet-facing UI skill, this is dangerous because downstream agents or developers may implement hidden or poorly disclosed surcharges, and the same document also warns against re-applying fees, creating ambiguity that increases the chance of user harm or deceptive fee handling.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill encourages use of `cast tx`, `cast calldata-decode`, and `ethers.JsonRpcProvider(process.env.RPC_URL)` to inspect live transactions but does not warn that submitted tx hashes, addresses, and query patterns are visible to the configured RPC provider. While the data is generally public on-chain, provider-side request logs can still reveal what projects, wallets, or historical activity a user is investigating, creating a privacy leak rather than a direct protocol compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill explicitly supports wallet connection, transaction signing, payable calls, and arbitrary contract writes, but it provides no visible warning that write actions can spend funds, trigger irreversible state changes, or interact with untrusted contracts loaded by user-supplied address. In this context, the omission is security-relevant because the UI is a generic contract explorer that can be pointed at any verified contract ABI, increasing the chance that a user signs a harmful or misunderstood transaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill facilitates smart-contract deployment and hook attachment that can alter live Juicebox project behavior and incur irreversible on-chain transactions, yet it lacks prominent warnings about operational and financial risk. In this context, users may paste unreviewed AI-generated Solidity and deploy it directly, increasing the chance of costly mistakes or harmful production changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes UIs that can pay into treasuries, cash out tokens, mint NFTs, claim tokens, and perform admin treasury operations, yet it lacks an upfront warning that these actions create irreversible on-chain transactions. In this context, omission of transactional risk disclosures can cause users or downstream agents to generate deceptively simple interfaces that under-communicate fund loss, token burning, and permanent state changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The admin UI exposes high-impact treasury functions such as sending payouts, withdrawing surplus allowance, and distributing reserved tokens, but it does not present a prominent warning commensurate with the financial and governance risk of those operations. In an agent-generated standalone HTML context, a user may treat the interface as routine project management and trigger irreversible treasury actions without adequate notice or friction.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill exposes a live NFT transfer capability via wallet-signed `transferFrom`, but the description does not clearly warn users that this action is irreversible. In a wallet-connected UI for blockchain assets, omission of that warning increases the risk of accidental asset loss, especially because the skill is presented as a reusable template others may deploy without adding safeguards.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill connects wallets and fetches token metadata from arbitrary URIs, including third-party IPFS gateways and direct URLs, without clearly warning about privacy exposure. This can leak user IP address, wallet-associated browsing behavior, token ownership interests, and chain usage to external services, which is particularly relevant in a blockchain UI that correlates identity and assets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill recommends transferring project ownership to a burn address to create an immutable treasury, but the primary presentation of the pattern does not foreground the irreversible loss of administrative recovery, upgradeability, and incident response. In a deployment-focused skill, that omission can cause operators to permanently lock misconfigurations or lose the ability to respond to future protocol, market, or security issues.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The cash-out wrapper examples encourage redeeming funds into the wrapper and then bridging or swapping through external protocols, but do not prominently warn about bridge compromise, swap slippage, reentrancy, approval misuse, or downstream protocol failure. Because redeemed funds are intentionally intercepted before reaching the beneficiary, any bug or dependency failure in the wrapper path can directly cause loss or lockup of user assets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises deployment, ownership transfer, and metadata update capabilities but does not foreground that these are on-chain actions with financial cost and potentially irreversible consequences. In an agent setting, omission of transactional-risk warnings can cause users to authorize destructive or unintended state changes they do not fully understand.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The ownership transfer section gives a direct `transferFrom` example without clearly warning that the project NFT represents administrative control of the Juicebox project. If followed blindly, a user could permanently hand over project ownership to the wrong address, resulting in loss of governance and treasury control.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The metadata update instructions show how to change the project URI but omit that this changes public-facing project information and may propagate inconsistently across indexers, wallets, and frontends. Users may unintentionally publish misleading or incorrect metadata and assume it can be instantly or cleanly reverted everywhere.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explains a flow where one payment authorizes execution of signed transactions across multiple chains, but it does not prominently warn that these resulting on-chain actions are irreversible and may fan out to several networks at once. In a transaction-building skill, that omission increases the chance a user or downstream agent treats the payment step as routine and unintentionally triggers broad financial or administrative actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example chooses the cheapest payment option and proceeds to send a transaction without explicitly requiring verification of the payment target, amount, calldata, destination chain, or linkage to the intended bundle. Because this skill is specifically for omnichain transaction execution, a user following the example could authorize payment that triggers unintended or malicious multi-chain actions, making the omission more dangerous than in a generic API example.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section explains irreversible collateral-burning loan mechanics without an explicit warning that initiating a loan destroys the user's tokens on-chain and may expose them to financial loss if they misunderstand repayment, refinancing, or liquidation behavior. In a skill intended to help agents build UIs and user-facing flows, omission of this warning increases the chance that downstream tools present dangerous actions too casually.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example code provides a ready-to-use transaction path that computes a borrowable amount and directly calls wallet.writeContract to borrow funds, but it does not warn that this will create a real blockchain transaction with fees and financial consequences. Because this skill is designed for implementation and UI generation, consumers may reuse the snippet verbatim, leading users to execute risky loan actions without informed consent or adequate validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly guides generation of contracts that receive, custody, swap, and forward funds through DeFi integrations, but it does not warn users about irreversible asset movement, slippage, approval risk, external protocol risk, reentrancy, or loss scenarios. In this context, the omission is security-relevant because the skill is intended to generate production-adjacent smart contracts from natural language, increasing the chance that users deploy financially dangerous code without understanding the risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes ready-to-use transaction examples for prepare, toRemote, claim, and emergency exit flows that move treasury value, burn source-chain tokens, mint destination-chain tokens, and may be irreversible or timing-sensitive, but it does not pair those examples with prominent user-safety warnings. In a protocol-integration skill, this omission can lead downstream agents or developers to generate unsafe UX that triggers real asset movement without adequate disclosure, confirmation, or recovery guidance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The claim example instructs callers to fetch merkle proofs from an external Juicerkle API without warning that this reveals beneficiary, chain, token, and bridge activity to a third party and that the returned data is externally sourced. In this context, consumers may over-trust the API, creating privacy leakage and increasing the risk of failed claims, malicious routing, or unsafe assumptions if the service is compromised, censored, or unavailable.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
jb-hook-deploy-ui/SKILL.md:462