cpbox-videos-search

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it can make automatic crypto payments using a wallet private key without clear spending limits or confirmation steps.

Review this before installing if you plan to fund the wallet. Use a dedicated wallet with minimal funds, set explicit spending limits outside the skill where possible, avoid storing a primary wallet private key, and require manual approval before any paid or direct x402 call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill states that payment is automatic with x402 tooling, but it does not prominently warn that invoking the skill can incur real charges. In an agent setting, this can lead to unintended paid requests, budget depletion, or abuse through repeated automated invocations without informed user consent.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal