blockpi-rpc.skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed BlockPI RPC helper that stores user-provided endpoints locally and makes user-directed blockchain RPC calls, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable giving the skill BlockPI endpoints or tokens and allowing user-directed live RPC calls that may consume request units or broadcast already-signed transaction data. Keep the state/ directory private, avoid pasting real keys into shared chats, and review grpcurl output because command arguments can include tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and instructs use of capabilities including network access, file read/write, environment use, and shell execution, but does not declare permissions. This creates a trust and review gap: consumers may invoke a skill that can persist secrets locally, make live external requests, and spawn grpcurl without an explicit permission boundary, increasing the risk of unintended secret exposure or unauthorized actions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal