BitNote

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated blockchain memory job, but it also exposes high-impact contract and key-signing capabilities that deserve human review before installation.

Install only if you understand that this skill can use local key material to sign and broadcast on-chain transactions. Review which contract functions the agent is allowed to call, keep dry-run mode as the default, require explicit human approval for writes, and avoid using any wallet or contract authority that can move meaningful funds unless the payout/admin functions are intentionally needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The ABI exposes payout functions (`authPayout`, `authPayoutFull`) that enable transfer of contract-held funds, which is not aligned with the stated purpose of decentralized encrypted memory storage. In an agent skill context, hidden or unjustified financial operations increase the chance that an integrator or user could authorize interactions with a contract capable of draining balances or redirecting value unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The ABI includes `migrateModContract`, an administrative migration capability not disclosed by the skill description. Migration functions can redirect trust, authority, or data flow to a new contract address, creating a significant risk of unauthorized upgrades, loss of integrity, or covert redirection if users believe they are interacting only with a memory-storage system.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Financial payout capability is inconsistent with the declared purpose of encrypted memory management, making the interface suspicious and increasing attack surface. Because the contract also has a payable `receive` function, it may accumulate funds, and the exposed payout methods could be abused to withdraw those funds in ways users of a memory skill would not reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The ABI exposes administrative financial controls such as sendFunds, setBasePrice, and setTaxRate that are not aligned with the stated purpose of decentralized encrypted memory. Even without implementation code, this mismatch expands the attack surface and creates a strong risk of hidden monetization, fund custody, or admin abuse that users of a memory-focused skill would not reasonably expect.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The externalCallAuth(address,bytes) function exposes arbitrary external call capability, which is highly dangerous because it can be used as a generic execution primitive against other contracts. In the context of a memory/identity skill, this capability is unjustified and could enable unauthorized token movements, privilege escalation through an auth contract, or abuse of any approvals/permissions held by the contract.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: The ABI includes setVerifiedContractStatus and isVerifiedContract, indicating an internal trust-management mechanism that can change which external contracts are treated as trusted. In combination with other privileged behaviors, especially arbitrary external calls, compromised or misused verification management could silently expand trusted execution paths and increase systemic risk.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The sendFunds(uint256,address) function provides direct fund transfer capability that is unrelated to storing encrypted memory or identity mappings. In a contract expected to hold user payments or balances, such a function creates clear risk of unauthorized withdrawals, draining escrowed value, or covert treasury extraction if access control is weak or intentionally abusive.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The ABI exposes functions such as fund payout and contract migration that are unrelated to the stated purpose of decentralized encrypted memory storage. In an agent skill context, surfacing these operations without clear access-control semantics or usage constraints increases the risk that an integrating agent may invoke dangerous administrative actions or route funds unexpectedly.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The presence of authPayout and authPayoutFull indicates an administrative withdrawal path from a skill described as memory storage. If an agent or user interacts with this ABI assuming it only manages notes, these functions could be abused to drain funds held by the contract, especially since the ABI alone provides no evidence of safe authorization boundaries.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The migrateModContract function enables changing a linked contract address, which can redirect trust and control to a new module. In a memory-management skill, this creates an upgrade or redirection surface that could be used to swap in a malicious dependency, alter authorization behavior, or break assumptions users and agents make about where their data and permissions are anchored.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script decrypts a locally stored private key using a passphrase and immediately uses it to sign and broadcast an on-chain transaction, with the only safeguard being an optional --dry-run flag. In an agent/automation context, this can cause unintended irreversible writes and gas spending if invoked with attacker-controlled inputs or the wrong profile, especially because there is no interactive confirmation, policy check, or transaction preview before signing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal