Near Name Service

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with managing NEAR names, but its registration script can run shell commands built from user-provided input and its paid transaction flow is under-warned.

Review before installing. Do not pass untrusted names or account IDs, and do not use this against a funded NEAR account until the script replaces shell-string exec with safe argument passing and validates NEAR names/account IDs. Treat register as a transaction-capable command and verify network, cost, account, and domain before approving any signing prompt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README provides direct commands to register a domain, which is a paid on-chain action, without an explicit warning immediately adjacent to those commands that funds will be spent and transactions will be signed using the configured account. In an agent-skill context, users may copy commands or invoke the skill assuming it is informational, so the omission increases the risk of unintended financial loss or unauthorized-looking account activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal