Arc Security - Agent Trust Protocol

Security checks across malware telemetry and agentic risk

Overview

This blockchain skill appears purpose-related but asks for raw wallet signing authority and can automatically spend funds and extract remote downloaded packages without enough user control.

Review carefully before installing. Use only a dedicated low-value wallet or testnet key, never a primary wallet private key. Do not run payment, approval, burn, vote, claim, withdrawal, or package-use commands unless the exact chain, contract, recipient, amount, and downloaded package are shown and you explicitly approve them. Treat any ZIP downloaded by the x402 flow as untrusted until independently verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The function claims to wait for a CCTP attestation but immediately returns fabricated placeholder message and attestation bytes. In a cross-chain asset transfer client, this is dangerous because callers may treat the result as a valid Circle attestation flow and proceed with downstream settlement logic, causing failed transfers, stuck funds, or unsafe assumptions about bridge finality.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The client downloads a ZIP from a remote server and extracts it directly to the local filesystem without validating the archive contents, integrity, or trustworthiness of the source. This can enable arbitrary file overwrite via path traversal in ZIP entries or installation of malicious skill content, which is especially dangerous because the code is positioned as a payment client but also performs software delivery and installation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to perform payment, staking, reporting, voting, and withdrawal operations that can move funds or trigger irreversible on-chain actions, but it does not warn that these actions may incur real financial loss, fees, or permanent consequences. In a blockchain/payment context, omission of such warnings increases the chance that users execute sensitive commands without understanding risk, especially when commands are presented as simple examples.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README tells users to set a PRIVATE_KEY environment variable but does not include any warning about its extreme sensitivity, secure storage, or the risk of wallet compromise. In a skill that performs blockchain transactions, exposure of this credential could allow an attacker or malware to drain funds, submit unauthorized transactions, or manipulate staking and claims.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly requires a wallet private key for signing transactions but does not warn users about secure storage, least-privilege wallet use, or the risk of exposing that key to the skill runtime and surrounding tooling. In an agent/CLI context, requesting a raw private key materially increases the chance of credential theft, accidental logging, shell history exposure, or misuse if the implementation or environment is compromised.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The `use` command combines payment with downloading a skill package from an external server, but the documentation does not clearly warn that this causes on-chain value transfer and retrieval of remote code/artifacts that may be unsafe. In this context, users may over-trust the advertised 'Safe to use' trust model and execute downloaded content without independent verification, increasing supply-chain and financial risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The module automatically loads a blockchain private key from the environment and uses it for signing if present, without any explicit user disclosure, consent flow, or scoping controls. In an agent/skill context, this is dangerous because merely configuring the environment can silently enable value-bearing on-chain actions, increasing the risk of unintended transaction signing if other methods are invoked.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The submit_claim method builds, signs, and broadcasts a transaction immediately, with no confirmation step, transaction preview, policy check, or spending guardrail. In an autonomous skill setting this can trigger irreversible on-chain state changes and gas expenditure from the configured account, especially because the signer is activated implicitly when a private key is present.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The vote_on_claim method signs and sends a governance-like transaction directly, again without explicit consent or review. Because votes can affect claim outcomes and may consume funds or influence protocol decisions, silent broadcasting from an agent is risky and can be abused through prompting, workflow mistakes, or unintended invocation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The claim_earnings method also signs and broadcasts a transaction without any confirmation, making fund-moving or settlement-related actions possible as soon as a private key is configured. Even if the operation is intended to benefit the account, unauthorized triggering can still incur gas costs, route funds unexpectedly, or interfere with operational controls across chains.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The code performs token approval and then an irreversible burn transaction automatically, without any explicit user confirmation, simulation, receipt check, or sanity validation between steps. In an agent skill context, this is especially risky because a malformed request, wrong chain, wrong registry address, or compromised invocation path could cause immediate loss or locking of USDC before an operator can intervene.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The vote_claim path submits a blockchain transaction immediately after an eligibility check, without a final confirmation prompt summarizing the action, wallet, claim, and consequences. In a financial/on-chain skill context, this is risky because a mistyped command, social engineering, or automation misuse can trigger an irreversible vote that may affect governance outcomes and possibly the user's reputation or rewards.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The command trigger "use" is extremely broad and likely to collide with normal user language, which can cause accidental invocation of the skill in unrelated conversations. In a security-focused skill that may perform checks, bonding, reporting, or claim-related actions, unintended activation increases the risk of confusing execution flow, mistaken approvals, or user actions being routed into the wrong workflow.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The command trigger "check" is ambiguous and commonly appears in ordinary conversation, making accidental or incorrect skill activation plausible. Because this skill is tied to security infrastructure and external systems like RPC endpoints, contract addresses, and payment server URLs, ambiguous activation could lead users into sensitive operations or misleading security-related outputs without clear intent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code automatically approves token spending and submits on-chain payment transactions based solely on a 402 response from a remote server, with no user confirmation, spending limit review, or recipient verification. A malicious or compromised server could induce unauthorized payments or repeated charges, and blockchain transactions are typically irreversible.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Downloaded ZIP content is written to disk and extracted automatically without any user-facing warning or confirmation, causing silent filesystem modification from remote content. In this context, that is more dangerous than a mere UX issue because it combines network-delivered content with local file writes and extraction, increasing the chance of stealthy malicious installation or overwrite.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal