Security Defense Line 安全防线

Security checks across malware telemetry and agentic risk

Overview

This paid security skill should be reviewed because it presents mock or random digital-asset safety checks as usable protection.

Install only if you understand this appears to be a paid demo or educational helper, not a dependable security defense system. Do not rely on its risk scores, audit reports, transaction simulations, or multisig state changes for real asset decisions, and use the billing flow only if you are comfortable sending a user identifier to skillpay.me.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 返回: {"ok": bool, "balance": float, "payment_url": str|None} """ try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={
Confidence: 97% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: def get_payment_link(user_id: str, amount: float = 5.0) -> str: """生成充值链接""" try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount},
Confidence: 89% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount}, timeout=10

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises executable scripts that imply environment variable access, file operations, and network connectivity, yet no permissions are declared. This creates an authorization transparency gap: users and the hosting platform cannot accurately assess what capabilities the skill needs before use, increasing the risk of overreach or unnoticed sensitive operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill’s stated purpose is defensive security analysis, but it also introduces billing behavior such as balance checks, payment gating, and external payment interactions that are not part of the declared security function. Hidden or under-declared monetization logic is risky because it can trigger unexpected external requests, collect user/payment metadata, or block security workflows until payment is made.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file is dominated by billing enforcement logic that does not match the declared security-defense functionality of the skill. That mismatch is a strong indicator of deceptive or at least unauthorized behavior, because users invoking a security tool would not reasonably expect hidden charging and payment-enforcement code to run.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The module implements charge execution and payment-link generation capabilities that are unjustified by the skill's stated defensive-security purpose. Such undeclared financial operations increase the risk of unauthorized charging, user deception, and exfiltration of identifiers to an external service.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The module docstring labels the file as a billing integration, directly contradicting the advertised identity of a security-defense skill. This inconsistency is dangerous because it conceals non-security behavior and undermines user trust, making it easier for deceptive monetization logic to evade scrutiny.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The function advertises fetching contract code by address/network but always returns hardcoded sample Solidity. In a security-auditing skill, this creates a deceptive security outcome: users may believe a real contract was audited when the tool actually analyzed unrelated demo code, causing missed vulnerabilities and unsafe deployment or interaction decisions.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The address-based audit path does not analyze the requested contract and instead depends on the mocked fetch behavior, so the report can falsely represent an audit of a user-specified address. In the context of a contract security tool, this is dangerous because it can directly mislead users into trusting insecure contracts based on fabricated or irrelevant findings.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: `revoke_confirmation` does not verify that the provided `signer` is an owner, nor that this signer previously confirmed the transaction. As a result, any caller can repeatedly reduce the confirmation count of pending transactions, enabling denial of service against legitimate executions and breaking the core integrity guarantees of multisig approval tracking.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: `execute_transaction` accepts an `executor` argument but never validates it against the wallet owners or any authorization policy. Once a transaction reaches the threshold, any caller can trigger execution, which defeats expected multisig access controls and is especially dangerous in a security-focused wallet management skill where execution authority should be tightly constrained.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: `add_owner` and `remove_owner` modify the signer set directly without validating `proposer`, requiring prior multisig approval, or enforcing governance workflow. This allows unauthorized takeover of the wallet's trust model—for example, adding an attacker-controlled owner or removing legitimate owners—undermining all subsequent threshold checks.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The function is presented as a transaction simulation but always returns hard-coded success, output, and price impact values. In a security-defense skill, this can falsely reassure users that a dangerous transaction is safe, directly undermining the core purpose of the tool and increasing the chance of approving malicious or loss-inducing transactions.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The details string says the address format is correct even when the address fails validation, creating contradictory and misleading output. In a transaction safety validator, inaccurate status messaging can cause users or downstream agents to trust malformed or suspicious destination addresses and ignore a real warning.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: Several checks presented as security detections are actually driven by random outcomes rather than blockchain data or a deterministic analysis source. In a wallet-security skill, this can produce false assurances or false alarms, causing users to trust unsafe addresses or avoid safe ones based on fabricated results.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The scan workflow aggregates and presents an overall security score and risk level as if they were meaningful protective conclusions, but much of that result is derived from randomized sub-checks. Because the skill is explicitly positioned as a security-defense tool, misleading users with authoritative-looking but non-evidence-based risk scores materially increases the chance of unsafe operational decisions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: verify_payment() attempts to charge the user immediately when called, before presenting a clear warning or obtaining consent. This creates a risk of unauthorized billing and is especially problematic in a security skill, where users may trust the tool and not expect background financial operations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal