Back to skill

Security audit

Help And Support

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide wallet support and issue reporting, with the main risk being that users should avoid putting secrets or sensitive wallet details into bug reports.

Before installing, treat issue reports as data sent to a support backend. Do not include seed phrases, private keys, passwords, API tokens, recovery details, unnecessary wallet identifiers, or sensitive screenshots. Use the skill for explicit wallet support or bug-reporting tasks, and review report text before submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is user-invocable and its description includes very broad phrases such as general help, onboarding, and bug reporting, which can overlap with many ordinary user requests. This increases the chance of accidental over-selection or invocation in contexts where more specific skills should handle the request, potentially exposing user prompts to support-oriented tools or causing unintended tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The issue-reporting flow instructs the agent to collect and submit a free-form title and detailed description, but it does not warn that users may include secrets, wallet identifiers, personal data, or other sensitive content that will be transmitted to the reporting backend. In a support context, users are especially likely to paste screenshots, addresses, error traces, or recovery-related details, making this omission materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.