AgenticTrade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AgenticTrade marketplace skill, but it can spend real USDC and change marketplace/account state without clear per-action approval or spending limits.

Install only if you intend to let an agent interact with a paid AgenticTrade account. Use a dedicated low-balance account/API key, require human approval before every paid service call or service listing, check prices and recipient service IDs before use, and inspect the optional agentictrade-mcp package before enabling it with funds or private data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to call third-party marketplace services where payment is automatically deducted from the user's USDC balance, but it does not require explicit user confirmation before incurring charges. In an agent setting, this can lead to unintended spending, especially if the agent autonomously discovers and invokes paid services based on user requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal