pve(dot)trade wrapped

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PvE paper-trading and market-analysis integration, with sensible cautions around its always-on activation, API key, and public social actions.

Install only if you intend to use PvE trading and collaboration. Store the PvE API key securely, do not paste it into public prompts or posts, and require explicit user confirmation before trades, balance resets, public posts, ratings, follows, deletes, or other account-changing actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The manifest description is broad and lacks clear trigger constraints, which can cause the skill to activate in loosely related contexts involving trading, markets, or signals. In an agent environment, overbroad activation increases the chance of unintended external API use and higher-risk actions such as posting, following, or trading without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs use of an API key in the X-Agent-Key header and even shows a sample secret-like value, but it does not include handling guidance such as never exposing keys in prompts, logs, posts, or shared outputs. In agentic settings, poor credential-handling guidance can lead to accidental leakage of reusable credentials to external services or user-visible content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal