SUPAH NFT Intelligence

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform NFT analytics, but it also introduces automatic paid x402 calls and alerting behavior that need clearer user control before installation.

Review before installing. Only use this skill if you are comfortable with chargeable x402 requests to an external service, and configure a dedicated low-balance wallet or strict spending limits. Do not enable automatic calls or sale alerts unless the skill clearly asks for confirmation before any paid request and explains exactly when charges occur.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The skill advertises NFT analytics, but the file also enables automatic x402 micropayments to an external endpoint and mentions sale alerts, which are material behaviors with cost and external interaction implications. This mismatch can cause users or calling agents to invoke the skill without understanding that paid outbound requests may occur, creating financial and trust risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal