Back to skill

Security audit

ShieldBot BNB Chain Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote ShieldBot security scanner; it sends user-provided blockchain and URL data to ShieldBot but does not show hidden credential access, signing, persistence, or destructive behavior.

Install only if you are comfortable sending wallet addresses, transaction details, URLs, and security questions to ShieldBot's public API. Do not submit seed phrases, private keys, passwords, internal-only links, or unreleased transaction plans unless you accept that third-party exposure, and independently review any unsigned revoke transaction before signing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly performs outbound network requests and allows the API base URL to be overridden via an environment variable, yet it does not declare corresponding permissions. This creates a transparency and policy gap: users and host frameworks may not realize the skill can exfiltrate user-supplied blockchain addresses, URLs, transaction data, and free-text queries to a remote service.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a focused blockchain security scanner, but it also exposes a free-form AI chat endpoint via the ask action. That capability materially expands the trust boundary and data-flow surface, because arbitrary user prompts are sent to a remote model-backed API that may behave outside the narrowly described scanning functions. In a security tool context, this mismatch can cause users or calling agents to disclose sensitive investigation details under the assumption they are only invoking deterministic security checks.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README advertises a `check <url>` capability but does not warn users that submitted URLs are sent to the remote ShieldBot API for analysis. This can expose sensitive internal, pre-release, or otherwise private links to a third party, which is a real privacy/security concern even if the endpoint is legitimate. In this skill context, the risk is slightly elevated because users may check suspicious links copied from emails, chats, admin panels, or internal systems.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad and includes generic terms such as 'scan', 'simulate', 'phishing', 'campaigns', and 'check url', which can plausibly appear in ordinary conversation. This can cause unintended activation and result in user data being sent to the remote API without sufficiently explicit user intent, especially given the skill's networked behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The 'ask' capability is triggered by 'ask shieldbot [question]' or 'any DeFi security question', which is highly ambiguous and effectively expands activation to a wide class of normal user messages. Because free-text questions are transmitted to a remote AI endpoint, ambiguous scope increases the risk of unintended disclosure of sensitive financial context or wallet-related details.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The /api/firewall endpoint explicitly accepts raw calldata, destination address, sender address, value, and chain information, which can reveal a user's intended on-chain actions before they are signed. Omitting any privacy warning or data-handling notice can mislead users into transmitting sensitive transaction intent and wallet metadata to a third party without understanding retention, sharing, or monitoring risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The /api/rescue/{wallet} endpoint processes a wallet address and returns approval inventory, spender relationships, and estimated value at risk, which exposes a detailed picture of a user's holdings posture and security state. Without a privacy warning, users may not realize they are disclosing wallet activity and approval-derived behavioral data to the remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /api/agent/chat endpoint accepts free-form user messages plus an optional session identifier explicitly used for conversation history, creating a clear risk that sensitive prompts, wallet addresses, investigation targets, or operational context may be stored and linked over time. The lack of a warning about retention or conversation-history use prevents informed consent and increases privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client forwards user-supplied addresses, URLs, transaction simulation data, and free-form messages to a third-party API without any explicit user-facing notice or consent mechanism. While remote API use is expected for this type of tool, the omission is still security-relevant because users may unknowingly transmit sensitive wallet relationships, investigation targets, or proprietary prompt content to an external service. The presence of phishing checks and AI chat makes the privacy risk broader, not narrower.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.