Back to skill

Security audit

Sponge Wallet

Security checks across malware telemetry and agentic risk

Overview

This doc-only wallet skill is transparent about many capabilities, but it gives an agent broad real-money authority without enough built-in scoping or confirmation guidance.

Install only if you are comfortable giving an agent durable authority over wallet funds, paid API requests, prediction-market activity, and possible Amazon purchases. Prefer testnet or low-balance accounts, avoid agent-first registration for real funds, confirm every transfer/swap/bridge/withdrawal/trade/x402 request/checkout yourself, keep API-key permissions narrow, and revoke or rotate the key when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as a crypto wallet manager, but the documented capabilities also include Amazon product search and checkout, which materially expands it into real-world purchasing. This scope mismatch can mislead users and orchestration systems about what the skill is allowed to do, increasing the chance of unintended purchases or policy bypass.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as wallet management, but it also supports arbitrary x402-paid external fetches, effectively allowing spending funds to access third-party services. This hidden expansion from wallet operations to arbitrary paid network access increases exfiltration and unapproved spending risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest omits prediction-market trading even though the skill supports Polymarket trading and withdrawals. Undisclosed trading functionality is dangerous because it enables speculative financial actions that users or host systems may not realize the skill can perform.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documents transfers, swaps, bridges, trading, withdrawals, and purchases, but does not require explicit user confirmation or prominently warn about irreversible real-money consequences. In a finance skill, omission of confirmation and risk warnings materially raises the chance of accidental asset loss or unauthorized spending.

Missing User Warnings

High
Confidence
98% confidence
Finding
The x402 feature is described as automatically handling payment flow, including creating and signing a USDC payment and retrying requests, without a strong warning that this spends wallet funds on third-party services. Auto-payment to arbitrary URLs is especially dangerous in this skill context because it combines outbound requests with autonomous spending.

Credential Access

High
Category
Privilege Escalation
Content
- `claimCode`, `deviceCode`, `expiresIn`, `interval`, `claimText`
- `apiKey` (returned immediately in agent-first mode)

Store `apiKey`, `claimCode`, and `verificationUriComplete` (as `claimUrl`) in `~/.spongewallet/credentials.json` so a human can claim later if context resets.

**Step 2 — Send the claim URL to the human owner**
They log in, optionally post the tweet text, and approve the agent.
Confidence
88% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Security

- Never share your API key in logs, posts, or screenshots.
- Store your API key in `~/.spongewallet/credentials.json` and restrict file permissions.
- Rotate the key if exposure is suspected.

---
Confidence
85% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.