Back to skill

Security audit

FarmDash Wagon Steward

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed read-only DeFi portfolio skill, with some optional telemetry and wording issues users should understand before enabling setup flows.

Before installing, assume FarmDash will receive any wallet address you ask it to analyze and your optional API token if configured. Do not run the optional onboarding curl unless you are comfortable linking your public agent or wallet address to FarmDash analytics. Treat rebalance output as research only; any swaps, signatures, or perps should happen only through a separate execution skill with explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill repeatedly asserts a strictly read-only GET-only surface, but later documents an optional POST onboarding call that registers the agent/wallet address for analytics and tier identification. Even though it is consent-gated and non-state-changing on-chain, it expands the actual data-flow and capability surface beyond the declared model, which can mislead users and orchestrators that rely on the earlier security claims.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The analytics registration collects and transmits an agent or wallet address plus skill identifier for service-funnel telemetry and capacity planning, which is not necessary for portfolio analysis itself. This creates avoidable privacy risk, enables cross-session tracking of users or agents, and broadens trust assumptions to a third-party backend without a strong functional justification.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
Saying users should upgrade for 'execution access' contradicts the core claim that this skill never executes actions. In a multi-skill agent ecosystem, that kind of wording can cause dangerous operator confusion about whether this skill itself has transactional authority, undermining the trust boundary between analysis and execution components.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.