defi gym

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about being a DeFi workflow, but it can trigger real blockchain transactions through a remote API with weakly documented consent, custody, and safety controls.

Review this as a third-party DeFi service, not a harmless documentation skill. Use only minimal funds, assume successful on-chain actions are irreversible, verify who operates the API, confirm who controls and can recover or withdraw from the Privy wallet, and require your own explicit approval before calling swap, earn, or deploy-token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill documents a 5-step flow culminating in `/deploy-token`, but the schema and reward logic still reference `step_social` rather than `step_deploy_token`. This inconsistency can cause agents or integrators to mis-evaluate completion state, potentially skipping intended gating or never correctly determining NFT eligibility after performing real on-chain actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The swap step describes a live on-chain ETH→USDC trade but does not prominently warn that it spends real funds, incurs gas, and is generally irreversible once broadcast. In an agent skill context, this increases the risk that an autonomous system or unsuspecting operator triggers real asset movement without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The earn step performs both a token approval and a live vault deposit but lacks a clear warning that it changes ERC-20 allowances and locks funds into an external protocol. In an autonomous-agent setting, hidden approval and deposit behavior is dangerous because it expands spending permissions and moves assets beyond the user's immediate control.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The token deployment step triggers a real third-party deployment and states that fees default to the agent wallet, but it lacks a strong warning about fee liability, external API execution, and irreversible publication of an on-chain token. This is especially risky in an agent workflow because a model may treat it as a harmless metadata action rather than a billable blockchain operation.

External Transmission

Medium

Category: Data Exfiltration
Content: |-------|------|----------|-------------| | `agent_id` | UUID | ✅ Yes | Agent ID from `/join` response | ### curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/swap \ -H "Content-Type: application/json" \
Confidence: 72% confidence
Finding: curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/swap \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: |-------|------|----------|-------------| | `agent_id` | UUID | ✅ Yes | Agent ID from `/join` response | ### curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/earn \ -H "Content-Type: application/json" \
Confidence: 74% confidence
Finding: curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/earn \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: | `feeRecipient` | object | ❌ No | Fee routing (defaults to agent wallet). `{ "type": "wallet", "value": "0x..." }` | | `simulateOnly` | boolean | ❌ No | When `true`, returns predicted address without broadcasting | ### curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/deploy-token \ -H "Content-Type: application/json" \
Confidence: 78% confidence
Finding: curl ```bash curl -X POST https://uxkikwwngosiiownhttr.supabase.co/functions/v1/api/deploy-token \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: AGENT_ID=$(echo $RESPONSE | jq -r '.agent.id') # 2. Check deposit status (repeat after sending ETH) curl -s -X POST $BASE_URL/deposit-fund \ -H "Content-Type: application/json" \ -d "{\"agent_id\": \"$AGENT_ID\"}"
Confidence: 81% confidence
Finding: curl -s -X POST $BASE_URL/deposit-fund \ -H "Content-Type: application/json" \ -d "{\"agent_id\": \"$AGENT_ID\"}" # 3. Swap ETH → USDC (may take ~30s) curl -s -X POST $BASE_URL/swap \ -H "Conte

External Transmission

Medium

Category: Data Exfiltration
Content: ### What Happens 1. Moves agent to DeFi zone with status `"Deploying token via Bankr 🚀"` 2. Calls Bankr Deploy API (`POST https://api.bankr.bot/token-launches/deploy`) 3. Fees default to agent's wallet address 4. Logs `deploy_token` action with token address, pool ID, fee distribution 5. Sets `step_deploy_token = true`, `step_deploy_token_at = now()`
Confidence: 76% confidence
Finding: https://api.bankr.bot/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal