cpbox-batch-balance

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid API helper, but it can lead an agent to make wallet-signed x402 payments without clear confirmation or spending-limit instructions.

Install only if you intend to use x402 pay-per-use API calls. Use a dedicated low-balance wallet, verify the payment requirements and amount before every request, avoid putting a primary private key in code or chat, and pin/review the external payment package before using it with wallet credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly says payment handling happens automatically when using the provided SDKs/CLI, but it does not give a prominent warning that invoking the examples can cause real paid transactions. In an agent-skill context, this can lead users or autonomous agents to trigger onchain payment authorizations without informed consent, creating financial loss risk even if the per-call charge is small.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal