Botcoin

Security checks across malware telemetry and agentic risk

Overview

This is a transparent crypto-game skill, but it lets an agent sign asset-related actions and irreversible on-chain withdrawals without strong confirmation guardrails.

Install only if you are comfortable letting an agent help operate a crypto-game wallet. Use a dedicated Botcoin key, dedicated X account, and dedicated Base address; keep the secret key out of chat and shared files; pin or verify npm dependencies; and require manual confirmation before any transfer, wallet relink, subscription payment or burn, or on-chain withdrawal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to perform an irreversible on-chain withdrawal and allows relinking of the destination Base address, but it does not explicitly require a confirmation step that highlights permanence, address correctness, and the fact that a mistaken or attacker-supplied address cannot be recovered from. In an agent setting, this is dangerous because the skill is user-invocable and could cause loss of assets if the agent proceeds automatically with a stale, spoofed, or incorrect destination address.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal