🦄 Powerloom Uniswap V3 timeseries data

Security checks across malware telemetry and agentic risk

Overview

This skill is not artifact-backed malicious, but it needs review because its optional setup can make an agent handle wallet private keys, long-lived credentials, and irreversible on-chain payments.

Prefer the free-key/browser signup path and avoid giving the skill any wallet private key. If you use the wallet-funded path, use only a low-balance burner wallet, run dry-run first, verify recipient, chain, token, and amount yourself, and remove the private key after payment. Use a secret manager or protected environment injection instead of pasting secrets into chat or inline cron commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The file exposes access to an EVM private key via environment configuration even though the skill is described as a monitoring and verification tool. Introducing signing-key material into a read-oriented skill expands the blast radius significantly: any downstream code path, dependency, or prompt-influenced action that accesses this helper could enable unauthorized on-chain transactions or key exfiltration.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This script ingests a private EVM key, obtains payment instructions from a remote service, and then signs and broadcasts an on-chain transfer to a server-provided recipient/token contract. Even with a confirmation prompt and chain-id check, this creates a direct fund-spending path that is not necessary for a monitoring/verification skill and materially increases the risk of wallet draining, misdirection of funds, or abuse in automated/non-interactive environments.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill advertises trigger phrases that include broad natural-language terms such as "track trades," "by token," "Powerloom," and "verified data," which can match benign user requests outside the intended scope. In agent platforms that auto-select skills from trigger text, this increases the chance of unintended invocation, causing unnecessary external API calls, confusing behavior, or execution of higher-risk wallet-related onboarding guidance when the user did not explicitly request it.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The prompt explicitly instructs the agent to solicit highly sensitive secrets in chat, including an API key and Telegram bot credentials, and then use them for environment wiring. Secrets gathered through conversational channels are prone to logging, transcript retention, and accidental disclosure to other tools or users, increasing the chance of credential compromise beyond the intended runtime.

Ssd 3

High

Confidence: 99% confidence
Finding: The instructions require embedding secrets directly into the cron message as inline environment variables, which can expose them via process listings, job definitions, logs, shell history, debug output, or UI inspection. This turns long-lived credentials into plaintext operational metadata and substantially enlarges the exposure surface.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal