Use Smart Contract Platform

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed smart-contract helper, but users must handle Circle credentials and blockchain transactions carefully.

Install only if you intend to use Circle Smart Contract Platform workflows. Keep API keys and entity secrets server-side, pin npm dependency versions, default to testnet, and manually confirm wallet, network, fee, contract address, function, token, and amount before any deploy, mint, or write transaction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This markdown file includes example code to deploy an ERC-1155 contract and mint a token, which are user-data/system-integrity impacting blockchain operations that typically incur fees and cannot be easily reversed. The notes mention checking transaction status and permissions, but do not warn the user that these actions create on-chain state and may spend funds.

Behavior Manipulation

Medium

Category: Prompt Injection
Content: - ALWAYS require explicit user confirmation of destination, amount, network, and token before executing write transactions that move funds. NEVER auto-execute fund movements on mainnet. - ALWAYS warn when targeting mainnet or exceeding safety thresholds (e.g., >100 USDC). - ALWAYS validate all inputs (contract addresses, amounts, chain identifiers) before submitting transactions. - ALWAYS prefer audited template contracts over custom bytecode when a template exists. Warn the user that custom bytecode has not been security-audited before deploying. - NEVER deploy contracts designed to deceive, phish, or drain funds. - ALWAYS warn before interacting with unaudited or unknown contracts.
Confidence: 70% confidence
Finding: ALWAYS prefer audited template contracts over

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal