solscan-market-by-solscan

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Solscan API helper that sends user-requested blockchain lookups to Solscan and does not show hidden persistence, wallet control, or destructive behavior.

Install only if you are comfortable sending Solana addresses, token mints, transaction signatures, filters, and your Solscan API key to Solscan Pro. Use a dedicated API key, avoid logging headers, and be careful with wallet lookups tied to real people or sensitive investigations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill promotes wallet, account, transaction, and DeFi activity lookups without warning that these queries may be privacy-sensitive or used for profiling. In context, blockchain data is public, but packaging these capabilities into an agent skill lowers the barrier to large-scale monitoring and can facilitate doxxing, targeting, or behavioral analysis.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The authentication section tells users to send an API key in headers to a third-party service but omits any warning that both credentials and queried wallet/token/transaction data leave the local environment. This can lead to unintentional disclosure of sensitive operational data and poor secret-handling practices when agents automatically forward user inputs to Solscan.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal