Publish Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed crypto signal scanner, but it also references private exchange access and possible leveraged trade execution without clear user confirmation or API-permission limits.

Install only if you intend to use it for crypto trading analysis and keep API keys read-only by default. Do not provide private trading credentials unless you understand that an agent following this skill may attempt real trades; require manual confirmation and tightly scoped exchange permissions before any order placement.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states that private API access may be used for trading, but its user-facing description and usage guidance do not clearly warn that invoking the skill could place real market orders affecting funds. In a trading context, that omission is dangerous because users may treat the skill as a read-only scanner while exposing exchange credentials capable of executing leveraged trades.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal