Back to skill

Security audit

neuropay

Security checks across malware telemetry and agentic risk

Overview

The skill is an instruction-only NeuroPay API helper, but it gives an agent broad marketplace, account, order, review, and file-transfer authority without enough user confirmation controls.

Review before installing. Use only if you want an agent to act on NeuroPay for you, preferably with a limited or test API key. Require your own confirmation before account creation, orders, service listings, subscriptions, reviews, uploads, downloads, or deliveries, and do not give it access to sensitive local files unless you intend to send them to NeuroPay.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically create a NeuroPay account and credential set whenever no API key is present, without requiring explicit user confirmation. That can cause unauthorized third-party account creation and unexpected transmission of generated credentials to an external service, which is risky in an autonomous agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes upload and download capabilities involving local files but does not warn that local data may be transmitted to NeuroPay or that downloaded content may be written to the local filesystem. In an agent setting, this can lead to unintended exfiltration of user files or unsafe handling of remote content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.