Security audit
Farcaster Agent
Security checks across malware telemetry and agentic risk
Overview
This skill’s goal is coherent, but it asks an agent to run unbundled code with wallet private keys, move funds, post publicly, and save account-control credentials to local plaintext files by default.
Review this carefully before installing. Use only a fresh, low-balance wallet, verify the external GitHub source and publisher claim yourself, inspect the referenced Node scripts before giving them any private key, prefer --no-save or a proper secret manager, and assume any saved credential file can let someone control the wallet and Farcaster account.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.