jovay-interaction

Security checks across malware telemetry and agentic risk

Overview

This blockchain helper is coherent, but it documents private-key and broadcast transaction workflows without enough safety framing for irreversible financial actions.

Review before installing. Use a dedicated low-balance wallet, avoid passing private keys or encryption passwords directly on the command line where possible, enable encrypted wallet storage, verify the npm CLI provenance, and manually confirm network, recipient, contract, token, amount, gas, spender, and every `--broadcast` transaction before execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to pass a private key via `jovay wallet set --sk <private-key>` and other commands with `--sk <key>` but does not warn that command-line arguments may be exposed through shell history, process listings, logs, or agent telemetry. In a blockchain skill, this is especially dangerous because exposure of a private key can immediately lead to irreversible theft of wallet funds and loss of account control.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal