Back to skill

Security audit

Bags

Security checks across malware telemetry and agentic risk

Overview

The Bags skill matches its Solana DeFi purpose, but it deserves Review because it handles live wallets/private keys and silently rewrites its own skill files from remote URLs.

Install only if you are comfortable letting an agent work with real Solana funds and Bags credentials. Use a low-value wallet, avoid or disable the silent heartbeat update, review every transaction before signing or submitting, and rotate credentials immediately if private keys, JWTs, or API keys may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide instructs the agent to call `/agent/wallet/export` to retrieve the wallet private key solely to complete a fee-claim workflow. Exporting a private key materially increases secret exposure risk, expands the blast radius from a single claim action to full wallet compromise, and is not the least-privilege approach for the stated task.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat includes a silent self-update mechanism that fetches multiple remote files and overwrites local skill content without user approval, integrity verification, or pinning to a trusted version. This creates a supply-chain execution path where a compromised server, DNS, or transport endpoint can change the agent's future behavior persistently and outside the user’s awareness.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The complete heartbeat script contains autonomous remote content synchronization that is unrelated to a basic monitoring/check-in function and silently modifies local files. Embedding this persistence-changing behavior in a routine task increases the chance it will run frequently and unnoticed, magnifying supply-chain and integrity risks.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The trading documentation instructs users to export a raw wallet private key during a swap flow, which is far more sensitive than what is required for quoting or normal transaction preparation. Exposing private keys to shell variables, subprocesses, and local scripts materially increases the chance of key theft and total wallet compromise.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The complete swap script operationalizes raw private-key export as part of normal execution, turning a documentation issue into a directly reproducible insecure pattern. Any compromise of the local environment, shell history, process table, logs, or helper script can leak the key and enable irreversible theft of all wallet assets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions tell users to persist a 365-day JWT and API key to a local file, but do not explicitly warn that these are long-lived secrets that must not be committed to source control, shared in logs, or stored on shared/multi-user systems. If that file is copied, backed up insecurely, or accidentally checked into a repository, an attacker can reuse the credentials to access the Bags account and related wallets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document repeatedly encourages launching tokens, trading, and claiming fees in a real-money environment while explicitly emphasizing urgency and experimentation, but it omits warnings about financial loss, scams, tax/compliance obligations, and irreversible on-chain transactions. In an agent skill, this can nudge autonomous or semi-autonomous systems toward unsafe financial actions without adequate user confirmation or risk controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The 'Did You Get Bagged?' section encourages people to connect profiles, verify ownership, and monetize coins tied to their content or identity without discussing consent, impersonation risk, privacy exposure, or disputes over ownership. In this skill's context, that is more dangerous because the platform explicitly supports tokenizing other humans or agents, making identity/content monetization and profile-linking a core workflow rather than a hypothetical edge case.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow has the user sign and broadcast one or more base58-encoded transactions supplied by an API without an explicit warning that signing grants on-chain authority and may have irreversible blockchain effects. In this skill context, that omission is dangerous because users are told to sign opaque transactions, increasing the risk of unintended transfers or approval of malicious instructions if the upstream response is compromised or misunderstood.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Silent auto-update behavior changes local files without a user-facing warning or consent flow. Even if intended as convenience, undisclosed modification of agent skill files reduces transparency and can conceal dangerous behavior changes introduced remotely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section instructs users to export a wallet private key, sign returned transactions, and submit them on-chain without any explicit warning that the process handles highly sensitive key material and authorizes real blockchain state changes. In a skill intended for humans and autonomous agents, omission of a clear safety warning materially increases the risk of accidental credential exposure or unintended signing of unreviewed transactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The launch flow creates, signs, and broadcasts a live token launch transaction with optional initial spend, but does not clearly warn that execution will incur real on-chain effects and may spend funds. For an agent skill, that missing disclosure makes accidental execution more dangerous because an operator may treat the example as a dry run rather than a production transaction path.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The complete script is turnkey automation for reading credentials, exporting a private key, signing arbitrary API-supplied transactions, and broadcasting them, yet it lacks an upfront warning describing the sensitivity and irreversibility of these actions. Because it is packaged as a ready-to-run script, the missing warning substantially increases the likelihood of unsafe copy-paste execution by users or agents.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains several generic phrases such as "claim fees," "launch token," and especially "check bags" that could match ordinary user conversation and invoke this skill unintentionally. In a DeFi skill that can manage wallets, claim fees, trade tokens, and launch tokens, accidental activation materially increases the chance of unintended high-risk financial actions or disclosure of wallet-related context.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill explicitly encourages activation through broad natural-language prompts for high-risk financial actions such as claiming funds, trading, launching tokens, and creating API keys. Because it does not require explicit user confirmation, identity/beneficiary verification, or transaction preview before execution, an agent could over-trigger sensitive blockchain actions from ambiguous requests.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill promotes wallet management, fee claiming, trading, and token launches—including for other agents and humans—without consistently placing safety gates at the point of capability introduction. In a DeFi/blockchain context, these are financially sensitive and often irreversible operations, so presenting them as routine capabilities materially increases the chance of unauthorized transfers, bad trades, or unintended token launches.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions guide users through creating, signing, and submitting a live on-chain swap without an explicit warning that the action can irreversibly move funds and that the process includes exporting a private key. In an agent skill context, missing consent and risk disclosure increases the chance of accidental high-impact financial actions.

External Transmission

Medium
Category
Data Exfiltration
Content
fi
    
    # Export private key
    BAGS_PRIVATE_KEY=$(curl -s -X POST "https://public-api-v2.bags.fm/api/v1/agent/wallet/export" \
      -H "Content-Type: application/json" \
      -d '{"token": "'"$BAGS_JWT_TOKEN"'", "walletAddress": "'"$BAGS_WALLET"'"}' \
      | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST "https://public-api-v2.bags.fm/api/v1/agent/wallet/export" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
log "💓 Bags Heartbeat — $(date -u +%Y-%m-%dT%H:%M:%SZ)"

# 1. Check authentication
BAGS_AUTH_CHECK=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/list \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\"}")
Confidence
89% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/list \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
if [ "$BAGS_TX_COUNT" -gt 0 ]; then
  # Export private key
  BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
    -H "Content-Type: application/json" \
    -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
    | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_LAUNCH_TX=$(echo "$BAGS_LAUNCH_RESPONSE" | jq -r '.response.transaction')

# Export private key
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_RPC_URL="https://gene-v4mswe-fast-mainnet.helius-rpc.com"
  
  BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
    -H "Content-Type: application/json" \
    -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
    | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_MAX_RETRIES=10

echo "📡 Signing and submitting..."
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
99% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_UNSIGNED_TX=$(echo "$BAGS_SWAP_RESPONSE" | jq -r '.response.transaction')

# Export private key
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
96% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 3: Sign transaction
echo "🔑 Signing transaction..."
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
97% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.