AgentWallet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto wallet skill, but it gives an AI agent direct tools to sign and send real blockchain payments without clear per-transaction user approval safeguards.

Install only if you intentionally want an AI agent to operate a crypto wallet. Verify the npm package and source before use, keep funds limited and segregated, use short unlock sessions, require explicit approval for every transfer or signature, and lock the wallet immediately afterward.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill provides concrete transfer and signing commands without an explicit warning that these actions can spend assets and create irreversible on-chain transactions. In the context of an AI-agent wallet skill, this omission is dangerous because an agent may follow examples mechanically and authorize real fund movement or signatures without sufficient user confirmation or policy checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal