DeFi Position Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a read-only DeFi portfolio guide, but using it can expose wallet and tax-related financial data to third-party services.

Install only if you are comfortable using third-party analytics and RPC providers with your wallet addresses and DeFi activity. Use dedicated read-only, revocable API keys, never provide seed phrases or private keys, and review any tax export before sharing it with another agent or service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes example commands that transmit wallet addresses and API credentials to third-party services without any explicit privacy notice, consent guidance, or data-minimization warning. In a DeFi context, wallet addresses, holdings, and protocol positions can reveal sensitive financial information and enable cross-service profiling even though the examples are framed as normal portfolio lookups.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The tax handoff section normalizes exporting detailed transaction history, rewards, gains/losses, and wallet-linked metadata to another agent without any sensitive-data handling guidance. That creates a privacy and confidentiality risk because the exported dataset is sufficient to reconstruct a user's financial activity and may be propagated to downstream systems without informed consent or retention controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal