Planet Express Marketplace

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed blockchain file marketplace skill, but it guides agents through real payment and public listing flows without strong user-confirmation or transaction-safety boundaries.

Install only if you are comfortable with an agent helping with blockchain marketplace actions. Before any purchase or listing, manually verify the exact cost, chain, contract or recipient, wallet prompt, listing or file details, and remember that on-chain payments and public listings may be irreversible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill gives step-by-step instructions for initiating paid blockchain marketplace actions, including x402 payment retries and listing fees, but does not clearly warn that these payments may be real, irreversible, and subject to chain-specific fees or loss from incorrect transactions. In an agent setting, this increases the chance that a user or automation triggers a purchase or listing payment without informed consent, especially because the skill is marked user-invocable and presents the payment flow as routine API usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal