a2a-wallet

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a wallet and payment CLI helper, but it needs review because it can install mutable remote code, manage plaintext wallet keys, and sign payments without strong per-transaction guardrails.

Review before installing. Use only a fresh low-value wallet, do not import a valuable wallet, inspect and verify the installer instead of blindly running the curl-to-sh command, and require explicit approval for every wallet creation/import/export, config change, CLI update, registry registration, faucet request, and payment signing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill documentation exposes operational capabilities beyond the stated trigger scope, including agent registration, faucet access, and binary self-update. In an agentic environment, undocumented or under-scoped actions can be invoked unexpectedly and may cause external side effects such as publishing data, modifying the local toolchain, or obtaining funds without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installation command downloads a remote script and immediately executes it with the user's shell, giving the remote endpoint full code-execution capability on the host. In a wallet-related skill, this is especially dangerous because any compromise of the repository, release pipeline, DNS/TLS trust, or network path could deliver malware that steals wallet keys, modifies transactions, or installs persistence.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger language is broad enough that the skill may activate for loosely related wallet, messaging, discovery, or configuration requests. Because this skill includes sensitive actions such as wallet management, payment signing, external registration, and updating software, overbroad invocation increases the chance the agent uses it when the user did not intend those capabilities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal