Back to skill

Security audit

Real-time Crypto Price API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal crypto price API client that makes user-initiated requests to a configured remote price service.

Before installing, understand that price lookups are sent to Prism API by default, or to whatever endpoint is set in PRISM_API_URL, and any PRISM_API_KEY you configure will be used for those requests. This is expected for the package, but users with sensitive trading workflows should review provider privacy, logging, and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README shows local library and CLI usage but does not clearly disclose that requests are sent to a third-party API service, which can expose queried symbols, usage patterns, IP addresses, and any configured API key to an external provider. In a trading-bot and dashboard context, this omission can mislead users about network behavior and data-sharing, creating privacy, compliance, and operational-risk concerns even if it is not a code-execution issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.js:7