Back to skill

Security audit

Warren - On-Chain NFT Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it handles raw wallet private keys and performs irreversible blockchain actions with weak user safeguards.

Review before installing. Use only a dedicated low-value MegaETH testnet wallet, do not reuse a mainnet or funded key, avoid passing private keys inline or with --private-key, and assume uploaded images, metadata, wallet address, and deployment details will become public and hard to undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation instructs use of a raw private key and an RPC endpoint, which implies access to sensitive environment data and external network communication, yet no permissions are declared. This creates a transparency and consent problem: users may invoke a blockchain-deployment skill without being clearly warned that it will handle credentials and make outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is NFT deployment, but the skill also indicates it auto-mints a Genesis Key NFT and sends deployment metadata to an external megawarren.xyz API. Hidden or under-disclosed side effects are dangerous because they can trigger unexpected on-chain transactions and external data disclosure beyond what the user reasonably consented to.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script claims on-chain NFT deployment, but it also sends collection metadata and the owner's wallet address to an external Warren backend via REGISTER_API. This creates an off-chain dependency and discloses user/project metadata without being clearly surfaced as part of the core deployment flow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The deployment flow automatically mints a separate Genesis Key NFT for the user's wallet if one is not already owned. Even if free, it performs an undisclosed blockchain action and spends user gas on an asset not described as a required side effect in the skill behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells users to pass `PRIVATE_KEY=0x...` directly in the shell command, encouraging unsafe secret handling without any warning. Raw private keys can be exposed through shell history, process listings, terminal logs, CI logs, or copied command transcripts, leading to full wallet compromise and theft of assets on any network using that key.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script posts containerId, nftAddress, ownerAddress, and collection metadata to an external API without a strong upfront warning or explicit consent. In an agent-skill context, silent exfiltration of wallet-linked metadata is risky because users may assume the operation is fully local/on-chain.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
deploy-nft.js:22