Back to skill

Security audit

Sponge Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto-wallet skill, but it gives an agent direct authority to move funds, sign payments, and auto-pay APIs with limited local safety gates.

Install only if you are comfortable letting the agent use a Sponge wallet credential for transfers, swaps, withdrawals, signed x402 payments, and paid API calls. Prefer test keys or low-balance wallets, verify recipient, chain, token, amount, slippage, and payment recipient before every state-changing action, set auto_pay=false when reviewing paid API costs, avoid SPONGE_API_URL overrides unless fully trusted, and logout or rotate credentials when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that OAuth credentials are saved to `~/.spongewallet/credentials.json` but provides no warning about the sensitivity of that file, expected filesystem permissions, or guidance on protecting, rotating, or deleting credentials. In a wallet-management skill, stolen local credentials could enable account takeover, unauthorized payments, or access to paid APIs, so documenting secret storage without safety guidance materially increases risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README promotes wallet transfers, token swaps, and paid x402 actions without any warning that these operations can spend funds, incur fees, or be irreversible. Because the skill is specifically designed for financial transactions, omitting prominent cautionary language can lead users to invoke destructive actions casually and increases the likelihood of unintended loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples encourage natural-language commands such as transferring USDC or swapping SOL without any adjacent caution that these requests may trigger real blockchain transactions or micropayments. In an agent context, natural-language invocation lowers the friction for high-impact actions, making accidental or socially engineered fund movement more plausible than in ordinary documentation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that paid API services are handled automatically and that `auto_pay` defaults to true, but it does not prominently warn that real wallet funds may be spent per request. In a wallet skill, this can cause unintended micropayments and repeated spend through normal tool use, especially when an agent chains calls autonomously.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `evm_transfer` tool enables real asset transfers but the reference lacks a prominent irreversible-transfer warning. Even with an allowlist control, users or upstream agents may misunderstand the consequence of invoking the tool, resulting in permanent loss or misdirection of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `solana_transfer` documentation describes sending SOL or USDC without clearly warning that the transfer is irreversible and uses real funds. In a crypto-wallet skill context, omission of that warning materially increases the chance of accidental or socially engineered fund movement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The swap documentation explains token routing and slippage but does not clearly warn about market volatility, price impact, routing risk, token quality risk, and execution outcomes. In practice, users may interpret the operation as routine and underestimate the possibility of loss, poor fills, or swapping into malicious or illiquid assets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `withdraw_to_main_wallet` section explicitly notes that allowlist approval is not required, yet it does not prominently warn that the action moves real funds out of the agent wallet. This makes the capability particularly sensitive because an agent or user could trigger irreversible value movement without the safeguard described for ordinary transfers.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broad enough to match many user requests involving payments, wallets, or APIs, which increases the chance the agent invokes a high-risk financial skill when a lower-risk or unrelated action was intended. In this context, over-triggering is especially dangerous because the skill can move funds, perform swaps, and initiate paid requests, so mistaken invocation can lead to real financial loss or unnecessary credentialed operations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill enables sensitive financial operations and stores credentials persistently in ~/.spongewallet/credentials.json, but it does not prominently warn about transaction irreversibility, real-money risk, or local credential persistence. In a crypto-wallet skill, omission of these warnings is high risk because users may unknowingly authorize transfers or leave long-lived credentials on disk, increasing the blast radius of user misunderstanding or host compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The wrapper forwards arbitrary tool invocations directly to wallet operations, including transfers and withdrawals, without any local confirmation gate, allowlist enforcement, or secondary approval step. In a wallet skill, this is especially dangerous because a mistaken, prompt-injected, or unauthorized invocation could trigger irreversible on-chain asset movement or paid API charges.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wallet.mjs:110

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/wallet.mjs:37

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/wallet.mjs:50