Gas War Sniper - powered by Teneo Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is for paid AI-service calls, but it can automatically spend USDC using a wallet private key without clear confirmation or spending limits.

Review this carefully before installing. Use only a dedicated wallet with minimal funds, avoid storing a primary wallet private key, and require manual price review and confirmation before any `call` or `direct` payment command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that payments are handled automatically in USDC and that wallet authentication is required for transaction signing, but it does not present a clear, prominent warning at the point of use that invoking the agent may create on-chain payment obligations. In a wallet-connected Web3 context, this can cause users or downstream agents to trigger paid actions without fully understanding that real funds may be spent, increasing the risk of unintended financial loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal