Money Machine x402 API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid API gateway skill, but it can spend from a wallet for broad everyday requests without a required per-call confirmation or default spending cap.

Use a dedicated low-balance wallet, never a primary wallet key. Configure a policy file with strict per-call and daily caps plus recipient allowlists, and require explicit confirmation before each paid call. Be especially careful with trading, crypto, betting, or financial-analysis requests because paid data access does not make the output investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description and metadata are broad enough that an agent may invoke it for generic monetization, trading, crypto, or even sports-betting related requests without clear user intent to use a paid external API. Because the skill triggers network access and a payment-gated workflow, ambiguous activation boundaries can cause unintended third-party interactions, unexpected charges, or exposure to risky financial content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal