Security audit

DeepKnow Currency

Security checks across malware telemetry and agentic risk

Overview

This exchange-rate skill is mostly coherent, but its real-payment flow sends and stores sensitive payment-linked data with weak scoping controls.

Install only if you trust the InkRate backend and JD clawtip payment workflow. Keep the default official HTTPS endpoint unless you control the replacement host, avoid putting unnecessary personal or financial details in paid-service questions, confirm charges before payment, and periodically delete old local order files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README states that paid fulfillment requests are forwarded to the InkRate backend after JD clawtip payment, but it does not disclose what user, order, device, or payment-related metadata may be transmitted in that handoff. In a real-payment flow, this lack of transparency can lead to unintended collection or relay of sensitive data and prevents users or deployers from assessing privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script sends the raw user-provided question directly to a remote `/api/skill/create-order` endpoint and then persists that question locally with order metadata, but it provides no explicit notice, consent flow, or data-minimization step before transmission. In a finance-related skill, users may include sensitive personal or transactional details in their question, so silent transmission to a backend and storage in local order records increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code reads a stored payment credential from the local order file and sends it to a remotely resolved base URL via `/api/skill/fulfill`. In a payment skill, that credential is highly sensitive, and this file provides no verification of destination trust, no explicit transport guarantees beyond whatever `resolve_base_url()` returns, and no user-facing disclosure or consent at the point of transmission, increasing the risk of credential misuse or exfiltration.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.