Back to skill

Security audit

Verdikta Bounties Onboarding

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed hot-wallet bounty-operator skill with real financial risk, but the risky behavior matches its stated purpose and includes user controls.

Install only if you intentionally want an autonomous low-balance hot wallet for Verdikta Bounties. Start on Base Sepolia, do not import a valuable personal wallet, review configured API/RPC/0x URLs, use dry-run where available, and assume submitted files plus bounty metadata may become public and persistent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation exposes admin and maintenance endpoints such as validating all open bounties, listing stuck submissions, expired bounties, and closing expired bounties, which are outside the stated hot-wallet onboarding purpose. In an agent skill that can read config, call APIs, and sign transactions, advertising these capabilities broadens the action surface and can lead to unauthorized operational actions if the agent or operator misuses them.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation includes endpoints for listing submissions, retrieving submission content, and fetching detailed evaluation reports that may expose other users' work product, file contents, and model judgments. For a hot-wallet onboarding skill, this is unnecessary data access and increases the risk of privacy leakage, competitive intelligence exposure, or unauthorized collection of user-generated content.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The onboarding script optionally spawns and executes another local script, `bounty_worker_min.js`, during setup. That expands onboarding from configuration into code execution of a separate component whose behavior is not enforced here, so a modified or malicious worker could perform signing, network actions, or secret use under the guise of a smoke test.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code tells the operator the final integration test is 'read-only' and only lists open bounties, but it actually runs an external worker script without constraining what that script can do. In a hot-wallet skill that can sign irreversible transactions, misleading trust cues materially increase the risk that an operator approves execution of code that may spend funds, transmit secrets, or alter state.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script adds irreversible token-swapping capability through the 0x aggregator, which is materially broader than a stated onboarding/upload workflow and expands the hot wallet’s authority from storage and publishing tasks into active trading. Although the code includes several safeguards such as Base-only checks, quote validation, value caps, and user confirmation, it still enables external API-driven calldata execution against a mainnet wallet, increasing the blast radius if the skill is misused, misconfigured, or socially engineered.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The submission flow tells users to upload raw files and notes that the API packages them for IPFS, but it does not clearly warn that uploaded content and narratives leave the local environment and may become persistently addressable through IPFS and blockchain-linked systems. In an agent context, this can cause accidental disclosure of secrets, proprietary files, or personal data if the agent submits the wrong materials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs an agent to upload data to IPFS and then execute approve/start submission transactions, but the section itself does not clearly warn that these actions are public, financially consequential, and partially irreversible. In this skill’s context, that omission is more dangerous because the skill is explicitly a hot-wallet operator capable of signing Base/mainnet or testnet transactions, so an autonomous agent could follow the workflow and expose data or spend funds without an explicit user confirmation gate.

Credential Access

High
Category
Privilege Escalation
Content
permissions:
      filesystem:
        read:
          - "~/.config/verdikta-bounties/.env"
          - "~/.config/verdikta-bounties/verdikta-bounties-bot.json"
          - "~/.config/verdikta-bounties/verdikta-wallet.json"
          - "scripts/*.json"
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
- "~/.config/verdikta-bounties/verdikta-wallet.json"
          - "scripts/*.json"
        write:
          - "~/.config/verdikta-bounties/.env"
          - "~/.config/verdikta-bounties/verdikta-bounties-bot.json"
          - "~/.config/verdikta-bounties/verdikta-wallet.json"
      network:
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
},
    "filesystem": {
      "read": [
        "~/.config/verdikta-bounties/.env",
        "~/.config/verdikta-bounties/verdikta-bounties-bot.json",
        "~/.config/verdikta-bounties/verdikta-wallet.json",
        "scripts/*.json",
Confidence
93% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
"operator-selected work files for submission"
      ],
      "write": [
        "~/.config/verdikta-bounties/.env",
        "~/.config/verdikta-bounties/verdikta-bounties-bot.json",
        "~/.config/verdikta-bounties/verdikta-wallet.json"
      ],
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
"VERDIKTA_KEYSTORE_PATH"
  ],
  "requiredConfigPaths": [
    "~/.config/verdikta-bounties/.env",
    "~/.config/verdikta-bounties/verdikta-bounties-bot.json"
  ],
  "primaryCredential": {
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
],
  "primaryCredential": {
    "type": "file",
    "path": "~/.config/verdikta-bounties/.env",
    "fields": [
      "VERDIKTA_WALLET_PASSWORD",
      "VERDIKTA_NETWORK",
Confidence
95% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if (!sweepAddress) sweepAddress = ownerDefault || ownerAddress;
    if (!isAddress(sweepAddress)) throw new Error('Invalid sweep address.');

    // 4) Wallet password (stored in stable .env at ~/.config/verdikta-bounties/.env)
    const pwDefault = current.VERDIKTA_WALLET_PASSWORD || process.env.VERDIKTA_WALLET_PASSWORD || '';
    let password = pwDefault;
    if (!password) {
Confidence
87% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
"validate:contracts": "node validate_contract_config.js"
  },
  "dependencies": {
    "dotenv": "^16.4.5",
    "ethers": "^6.15.0"
  }
}
Confidence
91% confidence
Finding
"dotenv": "^16.4.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "dotenv": "^16.4.5",
    "ethers": "^6.15.0"
  }
}
Confidence
95% confidence
Finding
"ethers": "^6.15.0"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/onboard.js:455

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/_lib.js:24

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/create_bounty.js:135

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/onboard.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/swap_eth_to_link_0x.js:26