Agentic Commerce - Buy IRL Items With USDC

Security checks across malware telemetry and agentic risk

Overview

The skill matches its crypto-shopping purpose, but it asks for raw wallet private keys and can immediately send real irreversible payments without a clear review step.

Review carefully before installing or using with real funds. Do not pass a main wallet private key to these scripts or to an agent; prefer the browser checkout or a trusted wallet/hardware-wallet flow, and use only a dedicated low-balance wallet if testing. Before paying, independently verify the merchant, USDC amount, chain, recipient/contract, fees, and what personal shipping data is sent to api.purch.xyz.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (13)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The checkout examples collect and transmit email, shipping address, phone number, wallet address, and product/order details to an external service without an explicit warning, consent step, or minimization guidance. This is dangerous because users or integrators may copy the examples directly and send sensitive personal data to a third party without understanding the privacy implications.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The end-to-end signing flows submit real blockchain payment transactions and present success outputs, but they do not include a clear caution that signing is irreversible and may transfer real funds. This is especially dangerous in a commerce skill because users may execute sample code against mainnet and approve transactions they did not inspect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script transmits sensitive personal data including email address, wallet address, and full shipping address to an external service at api.purch.xyz, but the CLI UX does not clearly warn the user that this information will be sent off-host. In a shopping workflow this transmission is expected, but the absence of explicit disclosure and consent increases privacy risk, especially because the tool handles both financial and shipping data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends sensitive personal data including email, wallet address, shipping address, and purchase details to a third-party API endpoint, but provides no explicit privacy notice, consent prompt, or data-handling disclosure at the point of use. In a shopping/checkout skill this data transfer is functionally expected, but omitting a clear warning increases the risk of users unintentionally disclosing personally identifiable information to a remote service they may not realize is external.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script directly accepts a base58 private key via command-line argument and uses it to sign and submit a live mainnet Solana transaction returned by a remote API. This is dangerous because command-line secrets can be exposed through shell history, process listings, logs, and automation tooling, and the code performs no transaction review, amount verification, destination validation, or explicit confirmation before broadcasting a real payment.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script instructs users to pass a base58 private key via the command line and then parses it from process arguments. Command-line arguments are commonly exposed through shell history, process listings, logs, crash reports, and CI telemetry, so this can leak the wallet secret and enable full theft of funds or unauthorized signing.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script requires a raw private key to be passed via the CLI and examples encourage doing so directly on the command line. Command-line secrets are commonly exposed through shell history, process listings, CI logs, and telemetry, making theft of the wallet key plausible and leading to full compromise of funds and signing authority. In the context of a shopping and crypto checkout skill, this is especially dangerous because users are explicitly guided to use the key for live payment transactions.

Missing User Warnings

High

Confidence: 96% confidence
Finding: After receiving a serialized transaction from a remote API, the script immediately signs and submits it without a confirmation step or a trustworthy display of critical transaction details for user review. This creates a high-risk blind-signing flow: if the API response is incorrect, manipulated, or compromised, the user may irreversibly approve an unintended on-chain payment or contract interaction. The shopping/checkout context increases risk because irreversible blockchain transfers are expected, making unsafe automation more likely to be used in production-like scenarios.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script signs and broadcasts a blockchain transaction obtained from an external `/buy` endpoint without displaying the transaction contents or requiring an explicit user confirmation step. In this skill's shopping-and-crypto-checkout context, that creates a real risk that a user or calling system signs an unintended or manipulated transfer, and blockchain submissions are typically irreversible once confirmed.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Accepting a Solana private key as a command-line argument exposes it to shell history, process listings, audit logs, and monitoring tools on the host. In a crypto checkout skill that signs real transactions, disclosure of this key would allow an attacker to take over the wallet and authorize arbitrary transfers.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script signs and immediately broadcasts a live Solana transaction from untrusted serialized input with no human-readable review, simulation summary, or explicit confirmation step. In the context of a shopping/checkout skill that handles real purchases, this creates a meaningful risk that a user or integrating agent will submit a malicious or incorrect transaction and irreversibly transfer funds.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Accepting a raw Solana private key as a command-line argument is dangerous because command-line arguments are commonly exposed through shell history, process listings, job logs, crash reports, and monitoring tools. Since this skill is specifically designed to sign blockchain purchases, compromise of that key can lead to full wallet theft and unauthorized transactions, making the context especially sensitive.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script explicitly instructs users to pass a raw private key on the command line, which can expose the secret through shell history, process listings, audit logs, CI job output, or terminal recording. In this skill's context, the risk is elevated because the key is for signing real Base blockchain purchase transactions, so compromise of the key can lead to unauthorized fund transfers and wallet takeover.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal