Back to skill

Security audit

Near Multi Account Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real NEAR account manager, but it needs Review because it stores wallet private keys, can send funds, uses weak default key protection, and ships unrelated authenticated marketplace scripts.

Review carefully before installing. Do not add valuable accounts unless you set a strong unique NEAR_SKILL_KEY and understand that transfers can move real NEAR. The publisher should remove the unrelated market.near.ai scripts, revoke the exposed token, declare required capabilities, and add explicit transfer confirmation safeguards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises use of an environment variable (`NEAR_SKILL_KEY`) for encryption but the manifest does not declare any permissions for environment access. Undeclared access to environment data weakens transparency and can lead to broader-than-expected secret exposure if the runtime allows env reads implicitly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The reported behavior mismatch is severe because the skill description presents a local NEAR account manager, while the analyzer indicates hidden authenticated access to `market.near.ai` APIs using an embedded live token and submission of deliverables to external endpoints. That combination suggests undisclosed external communications and hardcoded credential use, which could enable account abuse, data exfiltration, or unauthorized actions under a third-party identity.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Claiming secure encrypted storage while allowing a built-in default encryption key undermines confidentiality of stored private keys. If multiple installations share the same default key, an attacker who obtains the encrypted file may be able to decrypt account credentials and steal blockchain assets.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file hardcodes a live bearer token and uses it to probe multiple external marketplace API endpoints, then attempts to submit a deliverable to near.ai. That behavior is unrelated to the stated purpose of NEAR multi-account management, indicating hidden external interaction and possible unauthorized use of marketplace credentials or resources.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The POST logic actively submits deliverable data to a remote endpoint using a hardcoded live authorization token, without any connection to the skill's advertised account-management features. This creates a covert capability to perform marketplace actions on behalf of whoever owns the token, potentially causing unauthorized submissions, account abuse, or reputational harm.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file makes an authenticated request to an external job-status API on market.near.ai using a hardcoded bearer token, which is unrelated to the stated purpose of secure NEAR multi-account management. The mismatch between the manifest and the code strongly suggests covert external access or unauthorized use of an embedded credential, creating both secret exposure and suspicious out-of-scope network behavior.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The code contains a hardcoded live bearer token granting authenticated access to an external API, which is a direct credential exposure vulnerability. Anyone with access to the skill code can extract and abuse the token, potentially accessing private job data or performing unauthorized actions against the external service.

Scope Creep

Medium
Confidence
95% confidence
Finding
The manifest declares no capabilities even though the skill is explicitly designed to store credentials, access balances and transactions, and perform NEAR transfers. This creates a dangerous mismatch between declared permissions and actual expected behavior, reducing transparency, weakening policy enforcement, and making it easier for a high-risk financial skill to bypass capability-based review or user scrutiny.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill description limits expectations to account management, switching, and balance aggregation, but the implementation also performs live on-chain transfers. This capability mismatch is dangerous because users or orchestrators may grant or invoke the skill under a lower-risk assumption, while the hidden transfer path can move funds irreversibly from stored accounts.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file claims to be part of a NEAR multi-account management skill, but the code only performs an outbound HTTPS POST to submit a deliverable to an external service. This mismatch is dangerous because it indicates deceptive functionality and suggests the skill may exfiltrate data, abuse agent execution privileges, or perform unauthorized actions unrelated to its stated purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code contains hardcoded capability to contact an external endpoint and submit data to a job deliverables API, which is unrelated to NEAR account management. In the context of a wallet or credential-handling skill, unrelated outbound network actions are especially risky because they can be repurposed for covert data exfiltration or unauthorized account-linked operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is unrelated to NEAR multi-account management and instead performs an outbound HTTPS POST to submit a deliverable to an external service using a hardcoded bearer token. This mismatch between the advertised skill purpose and actual code behavior is a strong indicator of hidden or unauthorized functionality, which is especially dangerous because it can exfiltrate metadata or abuse embedded credentials under the guise of a legitimate blockchain-management skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script includes an external job-submission capability that has no clear relationship to managing NEAR accounts, balances, or transfers. In the context of this skill, unjustified remote submission functionality materially increases risk because it enables covert communication with a third-party endpoint and may be used to leak data or perform unauthorized actions outside the declared skill scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file performs an outbound submission to an external marketplace endpoint that is unrelated to the stated purpose of secure NEAR multi-account management. The script appears to be operational/deployment or job-reporting logic embedded in the skill package, which creates an undisclosed external communication channel and could be used to exfiltrate metadata or perform unauthorized actions under the publisher's identity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code contains direct marketplace job submission capability even though the skill description is limited to account management features such as credential storage, account switching, and balance aggregation. In this context, hidden submission logic is suspicious because it expands the skill's behavior beyond its declared scope and enables covert network actions against a third-party service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes fund transfer capability without warning that it moves real assets on NEAR mainnet and that blockchain transactions are typically irreversible. In a wallet-like skill, missing these warnings increases the chance of accidental loss, user misunderstanding, or unsafe automation of value-bearing actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to paste a private key directly into a function call without prominently warning about the sensitivity of that credential. In the context of a multi-account blockchain manager, encouraging direct handling of raw private keys raises the risk of credential leakage through logs, shell history, screenshots, or unsafe storage patterns.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill explicitly supports NEAR transfers, but the description does not prominently warn that blockchain transfers are irreversible and can permanently move user funds. In a wallet-management context, that omission increases the chance of unsafe or accidental transactions, especially when account switching is also supported.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends a POST request to an external service to submit deliverable metadata without any user-facing notice, consent, or confirmation step. Even aside from the hardcoded token issue, silent outbound submission can leak operational data and trigger unintended external actions that users did not authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs an outbound authenticated HTTP request with no user-facing disclosure, making hidden data flows and third-party communication possible without informed consent. In the context of a credential-management skill, undisclosed authenticated network activity is especially risky because users may reasonably expect sensitive operations to remain tightly scoped and transparent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest uses broad action descriptions like managing accounts, transferring NEAR, importing accounts, and exporting account information without documenting constraints, authorization checks, confirmation requirements, or safety boundaries. In a wallet-management context, vague high-impact entrypoints increase the chance of unsafe invocation, confused-deputy behavior, or unintended execution of financial operations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill persists NEAR private keys to disk and the encryption scheme is weak because it falls back to a hardcoded default key when NEAR_SKILL_KEY is unset. That means local compromise, backup leakage, or multi-user host access can expose wallet keys and enable complete theft of funds from all managed accounts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The transfer entrypoint can broadcast an irreversible fund transfer as soon as it is invoked, with no explicit confirmation gate, preview, or secondary acknowledgement. In an agent setting, prompt confusion, tool misuse, or malicious chaining can turn a normal account-management skill into a direct asset-exfiltration path.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
A live bearer token is hardcoded directly into the source and used in an outbound Authorization header. Hardcoded secrets are immediately recoverable by anyone with access to the skill, enabling unauthorized API access, impersonation, fraudulent submissions, and possible pivoting into associated systems; in a security-sensitive account-management skill, this sharply increases the risk profile.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code transmits an authorization credential in a request header and embeds the bearer token directly in source code, exposing a live secret to anyone with access to the skill files. Even though HTTPS is used, the dangerous issue is secret disclosure and silent outbound transmission without user visibility; an attacker or downstream user could reuse the token to submit data or access the associated service.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.