celo-composer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Celo app scaffolding guide; its main risks are normal web3 key, wallet, and deployment cautions rather than hidden malicious behavior.

Install only if you intend to build Celo/web3 apps. Run the scaffold command in a clean directory, verify the npm package, prefer testnets first, never reuse a funded production private key in local .env files, and review generated wallet/deployment code before shipping.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to deploy contracts and store a raw PRIVATE_KEY in a local .env file but provides no warning about irreversible blockchain transactions, testnet/mainnet confusion, or secret-handling risks. In a scaffolding skill aimed at developers, this omission can normalize unsafe operational practices and increase the chance of accidental fund loss or key exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The template documentation explicitly promotes automatic wallet connection in MiniPay via a client-side effect without any mention of user consent, warning, or guardrails. While this is likely intended as a convenience feature, auto-initiating wallet connection can surprise users, normalize implicit wallet access patterns, and increase the risk of downstream phishing or transaction-priming flows in applications generated from this template.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal