Pay For Service

Security checks across malware telemetry and agentic risk

Overview

The skill appears to enable x402 paid API or content access, but its broad trigger could route ambiguous requests into wallet payment flows.

Install only if you want an agent to help access x402 paid resources. Use a dedicated low-balance wallet, require a visible price and recipient preview, and personally confirm each spend before payment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation description is overly broad for a skill that can authorize real wallet payments and fetch paid content. Because it matches generic requests like 'paid service' or 'pay for this API call,' an agent may select this skill in ambiguous situations and initiate payment-related flows against unintended endpoints, increasing the chance of unauthorized spending or data retrieval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal