Buy Sovereign Domain (Handshake DNS)

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible domain-registration purpose, but it sends the agent to an unreviewed file outside the package for the details needed to make irreversible Ethereum transactions.

Install or use this only if you can inspect the full referenced specification, independently verify the Impervious Domains contract addresses and calldata, and use a wallet that requires manual confirmation for each transaction. Prefer a dedicated low-balance wallet and do not provide private keys directly to the agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly facilitates Ethereum mainnet domain registration, which results in irreversible on-chain transactions and gas expenditure, but it does not surface a clear user-facing warning in the skill file itself. In a wallet-connected agent setting, omission of that warning increases the risk that users authorize costly or permanent actions without understanding financial consequences or the inability to reverse them.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal