Back to skill

Security audit

X2c Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about publishing to X2C and managing wallet assets, but it gives agents direct commands for swaps and withdrawals without enough built-in confirmation guidance.

Install only if you intend to let an agent publish content to X2C and help manage X2C wallet assets. Use the least-privileged X2C API key available, and manually confirm every wallet-changing action, amount, destination address, network, and expected fee before allowing execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents wallet actions that can move or convert assets (claim, swap, withdraw) but does not include explicit warnings, confirmation requirements, or safety guidance for irreversible financial effects. In an agent setting, this increases the risk of users triggering real asset changes without understanding consequences such as token conversion, transfers to wrong addresses, or depletion of balances.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.