Security audit

Use Arc

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Arc Testnet development guide with a real private-key handling caveat, but no hidden execution or malicious behavior.

Safe to install as a reference skill, but use a dedicated testnet wallet and avoid putting valuable private keys in chat, shell history, CI logs, or CLI flags. Prefer Foundry keystores, hardware wallets, or interactive signing for any testnet deployment, and review remote installer commands before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The deployment example tells users to deploy to Arc Testnet with `--private-key $PRIVATE_KEY`, which directly contradicts the skill's own rule that plaintext private-key CLI flags must never be used in non-local environments, including testnet and staging. Even when sourced from an environment variable, CLI arguments can be exposed through shell history, process listings, CI logs, or debugging output, creating a realistic secret leakage path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal