Back to skill

Security audit

Stellar Agentic Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Stellar hot-wallet skill that can move real USDC, but I found no hidden exfiltration, destructive behavior, or install-time execution.

Install only if you are comfortable giving an agent spending authority over a Stellar hot wallet. Use a fresh limited-balance wallet, test with --network testnet where supported, avoid --yes and --max-auto on mainnet, pass --expect-pay-to and --expect-amount for paid API calls, and manually verify destination chain, address, amount, memo, and fees before confirming any transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The decision rule is internally inconsistent: it first says session-only services must be refused, then later says to never override a user's explicit instruction and to do it with a warning. In a payment-triggering skill, that ambiguity can cause an agent to proceed with a call known to fail upstream while still charging the user, creating a direct loss-of-funds risk and undermining safety checks.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill metadata uses broad natural-language triggers such as 'deposit to ethereum' and 'i need usdc on <chain>', which can match ordinary conversation and cause the bridge flow to activate without a clearly scoped user intent. In a wallet skill that can initiate cross-chain fund movement, accidental invocation is dangerous because it may lead the agent to collect addresses and prepare irreversible transfers under ambiguous circumstances.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'When to trigger' section does not clearly separate bridge requests from adjacent intents like generic transfers, balance inquiries, or exploratory questions, even though the skill itself notes that bridge and send-payment map to the same backend payment call. This ambiguity increases the chance that the wrong skill path is selected and funds are sent to an unintended destination or using the wrong assumptions about ownership of the destination address.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The execution flow and run instructions describe delegating to the payment path and showing a payment ID, but they do not include a prominent user-facing warning that cross-chain transfers are irreversible and highly sensitive to chain and address correctness. In the context of a client-side wallet skill, missing such warnings materially raises the risk of user error leading to permanent loss of funds.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough that ordinary requests like 'find a service for <task>' or similar discovery-oriented prompts may activate a paid-API routing workflow without clear user intent to use MPP Router or spend Stellar USDC. In this context, overbroad activation increases the chance of unintended escalation from general assistance into a real-money payment flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explains MPP Router mechanics and mainnet-only usage but does not prominently warn that using matched services can incur irreversible real-money Stellar mainnet charges. In a wallet/payment skill, missing upfront cost disclosure materially increases the risk of unintended spending, especially when combined with automatic discovery and handoff to a pay-per-call flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.