Back to skill

Security audit

Giza

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Giza DeFi account management, but it can change real yield strategy and account state with some under-scoped or overly broad instructions.

Install only if you trust Giza and are comfortable with DeFi account automation. Before allowing any withdrawal, deactivation, deposit processing, or protocol change, require the assistant to restate the exact network, amount or protocols, expected fund movement, fees, risks, and reversibility, then give explicit approval only if it matches your intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill establishes a confirmation policy only for withdrawals and deactivation, but the protocol-change flow later executes giza_update_protocols without any explicit user confirmation. In a DeFi context, changing protocols can move funds between lending venues and materially alter risk exposure, so skipping confirmation can lead to unintended asset reallocation from ambiguous or misinterpreted user input.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger phrases such as 'Get started,' 'I'm new,' and especially 'How does this work?' are common in general conversation and can cause the skill to activate outside the user's intended scope. Because this skill can initiate financial onboarding and tool-driven account actions, overbroad routing increases the risk of accidental account-related operations or disclosure of account-specific flows in the wrong context.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Using 'stop' as a deactivation intent signal is dangerously broad because it commonly appears in ordinary conversation, including requests to stop explaining or stop a previous action. In this skill, that ambiguity is especially risky because deactivation affects a live yield-generating financial account and could be triggered unintentionally if the assistant routes the utterance into the deactivation workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.