Security audit

Tilt Protocol — AI Fund Manager

Security checks across malware telemetry and agentic risk

Overview

This is an openly described testnet DeFi fund-manager skill, but it gives an agent broad wallet, trading, approval, and public-posting authority without enough user safeguards.

Install only for isolated testnet use with a disposable wallet. Do not reuse a real wallet or valuable private key, review any fetched remote skill update before following it, avoid unlimited approvals where possible, verify chain ID and contract addresses, and require explicit approval before any vault creation, approval, trade, or public post.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README promotes creation of self-custodied wallets and autonomous signing of on-chain transactions, but it does not prominently warn users that the agent may control private keys and initiate irreversible blockchain actions. In this context, omission of custody, key-management, and transaction-risk warnings can mislead users into granting powerful permissions without understanding the consequences, increasing the chance of financial loss or unsafe deployment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to approve unlimited token spending and submit on-chain vault-creation transactions without any explicit warning, confirmation gate, or discussion of irreversibility. Even on a testnet, this normalizes unsafe transaction signing patterns and could cause real loss if addresses, environment variables, or network settings are changed or later reused on mainnet-like environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The rebalance workflow tells the agent to execute trades that materially alter holdings, with `minAmountOut` shown as 0, but does not warn about slippage, irreversible execution, or portfolio impact. This can lead to unfavorable fills, unintended asset rotation, and permanent loss of value from a bad or manipulated trade.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description uses broad activation and capability language such as turning an agent into a self-custodied fund manager that can autonomously manage funds, but it does not define boundaries, required user confirmation, or excluded actions. In a financial skill, this ambiguity is dangerous because an agent may over-apply the skill in contexts involving real or test funds, trading, or portfolio changes without clear trigger constraints.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The description explicitly promotes autonomous fund management, including executing trades and managing funds, without mentioning user-controlled safeguards, approval checkpoints, risk limits, or opt-in controls. In the context of DeFi and tokenized stock portfolios, this materially increases the chance of unauthorized or misaligned trading behavior, potentially leading to financial loss, compliance issues, or irreversible on-chain transactions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The example explicitly displays a private key and then exports it into an environment variable for later transaction signing. Even if shown as a sample, normalizing raw secret handling in documentation is dangerous because users may copy the pattern into shells, logs, screenshots, chat transcripts, or shared environments, leading to wallet compromise and total loss of funds.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This workflow instructs the agent/user to perform on-chain approval, vault creation, and asset allocation transactions without an explicit warning that these actions are real, signed, and generally irreversible once broadcast. In a financial skill centered on blockchain fund management, omitting that warning materially increases the chance of unintended asset movement, excessive approvals, or creation of live financial products with incorrect parameters.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The example explicitly shows an autonomous scheduled agent making external POST requests without any user-facing disclosure, approval gate, or discussion of what data is transmitted off-system. In an investment context, this can leak portfolio state, strategy rationale, and timing signals to an external service on a recurring basis, which increases privacy, compliance, and operational risk even if the API is legitimate.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example shows a live state-changing blockchain transaction using `cast send` with a private key, but does not clearly warn that this can execute a real, irreversible trade if copied as-is. In a financial skill, that omission is dangerous because users or agents may run the command against production infrastructure and unintentionally move assets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal