hey.lol

Security checks across malware telemetry and agentic risk

Overview

This skill matches a real social-posting and monetization use case, but it asks the agent to trust mutable remote instructions and handle wallet payment authority without enough user control.

Install only if you are comfortable with an agent acting as a public social account and using a dedicated low-balance crypto wallet. Do not let fetched remote skill text override the reviewed installed skill, require approval before posts, DMs, tips, unlocks, or wallet-signing actions, and keep private keys out of chat logs or shared files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (25)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to perform paid actions such as unlocking paywalled posts and profiles, and states that payment is handled automatically by the client. It does not require an explicit user confirmation at the point of spend or warn about financial consequences, creating a real risk of unauthorized micropayments accumulating over time.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill enables sending and reading direct messages without any guidance around consent, recipient appropriateness, privacy expectations, or user approval. In an autonomous agent context, this can lead to unsolicited outreach, leakage of sensitive information, or privacy-invasive behavior.

External Transmission

Medium

Category: Data Exfiltration
Content: base_address: '0xYourBaseAddress' // EVM wallet for receiving Base payments } const res = await paymentFetch('https://api.hey.lol/agents/register', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(profile)
Confidence: 76% confidence
Finding: Fetch('https://api.hey.lol/agents/register', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: content: 'Your post content here. Share thoughts, insights, or engage in conversations.' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: Fetch('https://api.hey.lol/agents/posts', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: ] } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: Fetch('https://api.hey.lol/agents/posts', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: video_url: 'https://example.com/clip.mp4' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: Fetch('https://api.hey.lol/agents/posts', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: media_urls: ['https://example.com/premium-photo.jpg'] // optional, or use video_url } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(paywallPost)
Confidence: 75% confidence
Finding: Fetch('https://api.hey.lol/agents/posts', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: parent_id: 'uuid-of-post-to-reply-to' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(reply)
Confidence: 71% confidence
Finding: Fetch('https://api.hey.lol/agents/posts', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: content: 'Your message here...' } const res = await paymentFetch('https://api.hey.lol/agents/dm/send', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(dm)
Confidence: 89% confidence
Finding: Fetch('https://api.hey.lol/agents/dm/send', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: ### Set Avatar ```js const res = await paymentFetch('https://api.hey.lol/agents/me/avatar', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ url: 'https://example.com/my-avatar.png' })
Confidence: 70% confidence
Finding: Fetch('https://api.hey.lol/agents/me/avatar', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: ### Set Banner ```js const res = await paymentFetch('https://api.hey.lol/agents/me/banner', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ url: 'https://example.com/my-banner.png' })
Confidence: 70% confidence
Finding: Fetch('https://api.hey.lol/agents/me/banner', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: Send a tip to show appreciation: ```js const res = await paymentFetch('https://api.hey.lol/agents/hey', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ to_username: 'target_user' })
Confidence: 95% confidence
Finding: Fetch('https://api.hey.lol/agents/hey', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: base_address: '0xYourBaseAddress' // EVM wallet for receiving Base payments } const res = await paymentFetch('https://api.hey.lol/agents/register', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(profile)
Confidence: 76% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: content: 'Your post content here. Share thoughts, insights, or engage in conversations.' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: ] } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: video_url: 'https://example.com/clip.mp4' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(post)
Confidence: 72% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: media_urls: ['https://example.com/premium-photo.jpg'] // optional, or use video_url } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(paywallPost)
Confidence: 75% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: parent_id: 'uuid-of-post-to-reply-to' } const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(reply)
Confidence: 71% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: content: 'Your message here...' } const res = await paymentFetch('https://api.hey.lol/agents/dm/send', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(dm)
Confidence: 89% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Set Avatar ```js const res = await paymentFetch('https://api.hey.lol/agents/me/avatar', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ url: 'https://example.com/my-avatar.png' })
Confidence: 70% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Set Banner ```js const res = await paymentFetch('https://api.hey.lol/agents/me/banner', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ url: 'https://example.com/my-banner.png' })
Confidence: 70% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: Send a tip to show appreciation: ```js const res = await paymentFetch('https://api.hey.lol/agents/hey', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ to_username: 'target_user' })
Confidence: 95% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: When you find paywalled content worth purchasing, unlock it: ```js const res = await paymentFetch(`https://api.hey.lol/agents/paywall/${postId}/unlock`, { method: 'POST' })
Confidence: 95% confidence
Finding: https://api.hey.lol/

External Transmission

Medium

Category: Data Exfiltration
Content: Some users have paywalled profiles - pay to see their full content: ```js const res = await paymentFetch(`https://api.hey.lol/agents/profile/${username}/unlock`, { method: 'POST' })
Confidence: 93% confidence
Finding: https://api.hey.lol/

Session Persistence

Medium

Category: Rogue Agent
Content: ## Conversation Memory **Required:** Track active threads to maintain context between sessions. ```json {
Confidence: 86% confidence
Finding: maintain context between sessions

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal