T54

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed credit-payment skill, but it asks for broad private agent data, silent recurring uploads, scheduled persistence, and payment authority that users should review carefully.

Install only in a dedicated low-sensitivity workspace. Review what the SDK uploads and retains, avoid exposing secrets in prompts or transcripts, set explicit spend limits and approval rules for paid x402 calls, disable or closely monitor heartbeat/cron entries, and never print or share the saved API token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as a payment/credit integration, but it explicitly states that the SDK collects agent context, session transcripts, prompts, and workspace data for underwriting and ongoing monitoring. That creates a significant scope expansion from payment processing into broad local data harvesting, which can expose secrets, prompts, user content, and operational metadata beyond what is necessary for a credit transaction.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill instructs the agent to issue unauthenticated GET/POST requests to arbitrary user-supplied x402 endpoints for schema discovery before payment. This broadens the trust boundary and can be abused for unintended outbound network access, including requests to attacker-controlled services, which may enable SSRF-like behavior, metadata probing, or interaction with untrusted internal/external endpoints.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The skill directs agents to perform recurring monitoring and data submissions silently after one-time consent, without re-prompting the user. In context, those checks involve ongoing collection/submission of agent behavior and local context, so silent execution removes meaningful user awareness and control over continued sensitive data transfer.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs the agent to continuously monitor behavior, enable tracing, and submit richer environment/context data to improve credit decisions, including automatic loading of locally stored credentials and context paths. This creates a high-risk data exposure channel because traces, prompts, transcripts, and workspace artifacts commonly contain secrets, personal data, proprietary instructions, and user content.

Ssd 4

High

Confidence: 98% confidence
Finding: The skill uses initial privacy-policy consent as a blanket authorization for future automatic monitoring and repeated context submissions. That consent model is unsafe because it normalizes indefinite background collection after a one-time prompt, even though the ongoing behavior materially exceeds a single registration action and may involve changing or newly sensitive local data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal