Solidity Developer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Solidity development helper with a manifest packaging issue but no evidence of hidden, destructive, or credential-seeking behavior.

Before installing, note that the publisher should fix the trigger metadata so activation is explicit. Treat any generated smart contract as draft code, never provide private keys or mnemonics, review deployment commands manually, and obtain an independent audit before using contracts that control real assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest's triggers field is effectively unspecified/opaque (`System.Object[]`), so the conditions under which this skill activates cannot be clearly understood or constrained. Ambiguous activation metadata can cause the skill to run in unintended contexts, increasing the chance of unauthorized use, policy bypass, or accidental execution of code-generation capabilities in sensitive workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal