x402janus-acp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it creates paid Virtuals ACP marketplace jobs to scan wallet addresses, with no evidence of hidden or destructive behavior.

Install only if you trust the Virtuals ACP endpoint and x402janus provider. Protect ACP_API_KEY, verify the selected offering and price before scanning, and remember that running a scan submits the wallet address through the ACP job flow and may spend $VIRTUAL tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The README instructs users to submit wallet addresses and authenticate with an ACP API key, but it does not clearly warn that scan requests and associated metadata are sent to a third-party marketplace service. This is a real, albeit low-severity, transparency and privacy issue because users may unknowingly disclose sensitive operational data or misuse a privileged API key in a context they assume is purely local.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill initiates paid ACP marketplace jobs using $VIRTUAL, but the documentation does not present a prominent up-front warning that running a scan causes token spend. In agentic or automated environments, this can lead to unintended financial loss, repeated paid invocations, or abuse through prompting a user/agent to run what appears to be a harmless scan command.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal