Nicky

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate payment-integration skill, with a privacy caveat around payer name and email sharing.

Before installing or using this skill, confirm you are comfortable sharing the payer name and email with Nicky and the payment recipient. Use it only for payment flows you intentionally initiate, and avoid providing unnecessary personal details if the platform supports aliases or redacted values.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to collect `payerName` and `payerEmail` and send them to a third-party payment platform, but it does not require a clear user-facing privacy warning or consent step before that transmission. This can cause unintended disclosure of personal data, especially in an anonymous-payment flow where users may not expect identity details to be shared with the receiver and payment processor.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes collecting `payerName` and `payerEmail` and notes they are receiver-visible, but it does not clearly warn users or integrators that personally identifiable information is transmitted to an external third-party payment API as part of an anonymous payment flow. In an agent setting, this can cause unintended privacy disclosure because users may assume a crypto payment is pseudonymous unless explicitly told otherwise.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal