Back to skill

Security audit

WEB3 Integration

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Web3 integration skill with disclosed wallet and contract-call risks, and no hidden executable behavior.

Before installing, treat generated write-capable contract code as high impact: start on a local chain or testnet, review transaction previews, avoid server-side signing unless explicitly required and approved, and never provide private keys in chat. The publisher should fix the malformed trigger field and add a clearer warning about irreversible transactions and gas or asset spending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
96% confidence
Finding
This manifest file includes a triggers field, but its value is the non-descriptive placeholder-like text "System.Object[]" rather than an explicit list of activation phrases or conditions. That makes it unclear when the skill should activate and provides no scope limits or negative examples to prevent unintended invocation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.