Back to skill

Security audit

nadfun

Security checks across malware telemetry and agentic risk

Overview

This skill matches a crypto-launchpad integration, but its examples can expose wallet secrets or authorize real fund-moving actions too easily.

Install only if you are comfortable with an agent skill that helps operate crypto wallets and NadFun account/API workflows. Use a dedicated low-balance wallet, keep private keys and session cookies out of logs/prompts/source control, avoid unlimited approvals unless explicitly intended, verify network and contract/spender addresses before signing, and review any downloaded nad.fun files before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill’s written guidance says to approve only needed amounts, but elsewhere it demonstrates and normalizes unlimited approvals using the maximum uint256 value. In an agent skill context, this is dangerous because downstream agents or users may copy the unsafe pattern and grant a spender indefinite access to all present and future token balances if that spender is compromised or misconfigured.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The example explicitly prints a generated private key to the console, which can expose the secret through terminal history, CI logs, IDE consoles, shell recording, or hosted logging systems. Because this is a wallet-generation skill, readers may copy the example directly into real workflows, making accidental credential disclosure plausible despite the later security note.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document describes payable and nonpayable state-changing operations such as token creation, buys, sells, approvals, permits, burns, and claims without consistently warning that these actions can move funds, consume gas, or have irreversible financial effects. In an agent skill context, this increases the risk that downstream tooling or users invoke dangerous methods without sufficient confirmation, slippage checks, or safety messaging.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to upload images and metadata to third-party APIs and later submit on-chain transactions, but it does not prominently warn that uploaded content leaves the local environment and that blockchain transactions are public and irreversible. In an agent skill context, this omission is risky because a user may assume the workflow is local or reversible and unintentionally disclose data or spend funds.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples read a private key from process.env and proceed directly to wallet operations without a strong safety notice on secure secret handling. In an agent or copied-script setting, this normalizes plaintext environment-based key usage and can lead users to expose high-value wallet credentials in shells, logs, CI systems, or shared runtime environments.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The examples repeatedly instantiate a viem client against third-party RPC endpoints and immediately perform on-chain reads, but the documentation does not warn users that their IP address, wallet-related query patterns, token interests, and timing metadata will be disclosed to those external providers. While the calls are read-only and do not directly expose private keys, this is still a real privacy and operational security issue because users may paste sensitive token targets or run the examples in environments where outbound network access should be explicit.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication examples retrieve a session cookie from response headers and create an API key, but only say to 'Store this securely!' without clearly warning that the session cookie and API key are bearer credentials that grant account access. In an agent-skill context, examples are often copied directly into automation, so insufficient guidance can lead to logging, persistence, or accidental disclosure of credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown explicitly demonstrates infinite token approval without an adjacent warning explaining that this gives the spender ongoing authority over the user’s tokens. Because the skill is positioned as copy-paste-ready and production-ready for AI agents, omission of that warning increases the chance that unsafe approval behavior is adopted automatically or without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The complete workflow automatically checks allowance, performs a max approval to a hardcoded spender, and then transfers tokens, all without a prominent asset-movement warning or an explicit confirmation gate. In an agent setting, this is especially risky because it couples authorization and asset movement into a ready-to-run script, making accidental or overbroad token delegation much more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document provides full mainnet trading workflows, including buy, sell, permit signing, and transaction submission, but does not prominently warn that mainnet actions use real funds and are irreversible. In a trading skill, this omission increases the chance that users or downstream agents execute examples on mainnet without appreciating financial risk, especially because the guide presents testnet and mainnet as equally routine options.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Displaying a freshly generated private key without an inline warning normalizes unsafe handling of high-value secrets. In wallet code, the private key is the sole control over funds, so any logging or output channel that captures it can enable account takeover and irreversible asset loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The complete example again logs the generated private key, reinforcing unsafe practice in a more realistic end-to-end workflow that users are especially likely to reuse. Since wallet examples are often adapted into scripts and bots, this increases the chance the secret will leak into operational logs or monitoring systems.

External Transmission

Medium
Category
Data Exfiltration
Content
API_URL="https://dev-api.nad.fun"  # testnet
# API_URL="https://api.nadapp.net"  # mainnet

curl -X POST "${API_URL}/agent/token/image" \
  -H "Content-Type: image/png" \
  -H "X-API-Key: nadfun_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  --data-binary @my-token.png
Confidence
93% confidence
Finding
curl -X POST "${API_URL}/agent/token/image" \ -H "Content-Type: image/png" \ -H "X-API-Key: nadfun_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ --data-binary @my-token.png # Response: # { # "image_uri

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
AGENT-API.md:236

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
CREATE.md:32

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
WALLET.md:21