Security audit

Realtime NBA Sportsdata and analytics for Prediction Markets

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid NBA data connector; its main risk is that API calls can spend wallet funds via x402.

Install only if you are comfortable with an agent making paid x402 API calls to the listed third-party Daredevil endpoint. Use a testnet or limited-balance wallet first, require wallet confirmation for each paid request where possible, and monitor costs because analysis questions may trigger several paid data calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to make paid x402 requests and sign payments with the user's wallet, but it does not present a clear upfront warning that each query can trigger wallet signing and spend funds. That creates a real risk of unexpected charges, especially because the workflow encourages multiple paid calls for a single analysis request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal