x402-wurk

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about offering WURK payments, microjobs, and social-growth purchases, but it can spend real USDC and buy engagement or votes with weak guardrails.

Install only if you are comfortable giving an agent access to a dedicated, low-balance USDC wallet and approving each paid request. Treat social-growth and vote-buying features as high-risk: use them only with explicit authorization, clear budget limits, and confidence they will not violate platform rules or mislead others. Do not paste private keys into logs, chats, or task descriptions, and keep WURK job secrets confidential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill gives broad guidance for invoking paid social-growth services in generic marketing scenarios, which can encourage agents to purchase engagement without adequate legitimacy checks or user-specific authorization. In context, this is risky because the same guidance can be used for reputation manipulation, artificial engagement, or activity that violates platform rules, even if the service is presented as a normal marketing tool.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill extensively documents paid likes, followers, comments, reposts, votes, and similar services but does not prominently warn that these actions may violate platform policies, damage account reputation, or create fraud/manipulation risks. Because the feature set is specifically aimed at buying engagement and social proof, omission of these warnings materially increases the chance an agent will facilitate deceptive or policy-violating conduct.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal