Graph Advocate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed blockchain data-routing skill with external query sharing and optional paid calls, but no hidden code, local access, or automatic spending was found.

Install only if you are comfortable sending blockchain queries, wallet addresses, and trading intent to graphadvocate.com. Start without a wallet in the free mode; if enabling x402 paid endpoints, use a dedicated low-balance wallet, require per-call approval, and set spend caps.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The description is written with very broad, high-recall activation language such as 'Ask any blockchain question in plain English' and a long list of covered domains. In agent ecosystems that route skills based on metadata, this can cause the skill to over-match unrelated or only loosely related prompts, leading to unintended invocation and possible data exfiltration to an external endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal