Back to skill

Security audit

Warren - On-Chain Website Deploy

Security checks across malware telemetry and agentic risk

Overview

The skill appears aligned with blockchain deployment, but it handles wallet private keys and can automatically perform irreversible on-chain actions without a clear confirmation gate.

Install only if you understand it will sign blockchain transactions and may permanently publish content. Use a fresh, low-funded testnet wallet, never a primary wallet or reused private key, review the exact content and contract actions before running, and avoid autonomous execution unless you add an explicit confirmation or dry-run step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires access to a private key via environment variable or CLI argument, yet no explicit permissions are declared. This creates a transparency and consent problem: an invoking agent or user may not realize the skill consumes sensitive wallet credentials and can spend funds on-chain. In blockchain contexts, undeclared secret access is especially risky because misuse directly enables irreversible transactions and gas expenditure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as website/file deployment, but the documented behavior also includes automatically minting a Genesis Key NFT, minting entries in a registry, and accepting broader content classes including script-labeled content. That mismatch is dangerous because users may authorize what seems like simple content storage while the skill performs additional on-chain actions that incur cost, create assets, and permanently publish content. On-chain side effects are irreversible, so incomplete disclosure materially increases risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Although the notes mention immutability, the skill lacks a prominent explicit warning at the point of use that supplied content will be permanently published on-chain and cannot be deleted. This is dangerous because users or autonomous agents may deploy sensitive, copyrighted, malicious, or mistaken content without appreciating that disclosure is irreversible. The context makes this more serious because the whole purpose of the skill is permanent blockchain publication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs real blockchain state-changing actions automatically once invoked, including minting a Genesis Key NFT if absent and minting the site NFT, without any explicit confirmation or dry-run step. In an agent/automation context, this increases the risk of unintended transactions, gas spend, and irreversible on-chain writes from unreviewed input or mistaken invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.