8004

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for registering and checking AI-agent trust on Celo, with public blockchain and IPFS privacy risks users should understand before use.

Before installing or using this skill, verify the SDK package and contract addresses, test on a testnet first, do not publish secrets, internal URLs, personal data, or regulated information to IPFS or on-chain metadata, and require explicit review for wallet transactions, feedback submissions, endpoint calls, and paid requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to upload agent metadata to IPFS but does not warn that IPFS content is typically public, widely replicated, and difficult to fully retract once published. Because the metadata may include endpoint URLs, wallet addresses, descriptions, and other identifying details, users could unintentionally expose sensitive operational or organizational information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill shows agent registration and feedback submission as normal workflow steps without warning that blockchain transactions are public, traceable, and effectively irreversible once confirmed. Users may submit identifying metadata, reputation data, or feedback hashes believing they can later edit or remove them, creating privacy, reputational, and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal