FORGE — Cross-Chain Swap Agent

Security checks across malware telemetry and agentic risk

Overview

FORGE is a disclosed crypto swap helper that prepares THORChain transaction details with a stated affiliate fee, but does not install code, hold funds, or ask for private keys.

Only use this if you trust the hosted FORGE API to prepare swap details. Before sending crypto, manually verify the asset, amount, destination address, vault address, memo, slippage, and the disclosed 0.5% affiliate fee in your wallet or another trusted THORChain interface; never provide private keys.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill does disclose the 0.5% affiliate fee elsewhere, but the usage flow and transaction-building sections do not present it as a prominent user warning at the point a user would act. In a financial/crypto swapping context, hidden or non-salient fees in generated transaction memos can materially affect user consent and may cause users or agents to execute swaps without realizing value is being diverted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal