Agent Dev Toolkit

Security checks across malware telemetry and agentic risk

Overview

This toolkit is mostly coherent, but it gives agents high-impact wallet and broad permission guidance that users should review carefully before installing.

Review before installing. Use testnets or sandbox funds first, claim and configure wallet policies before funding any wallet, require human approval for transfers, swaps, and arbitrary contract calls, and avoid copying the broad WebFetch, Write/Edit, and Bash allowlists unless each permission is necessary for a specific agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises wallet creation functionality but provides no warning about private key handling, custody responsibilities, phishing risk, or the irreversible nature of blockchain transactions. In a toolkit aimed at building and monetizing AI agents, this omission can lead users to invoke wallet features without understanding that exposed keys or mistaken transfers may permanently compromise assets.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill markets wallet creation, payments, refunds, and trading capabilities without any visible warnings about irreversible blockchain transactions, key management, spending risk, or regulatory/compliance considerations. In an agent toolkit, this is more dangerous because users may delegate financial actions to autonomous workflows, increasing the chance of unintended or unrecoverable loss.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation promotes scraping, form submission, and complex web automation without warning about privacy, authorization, terms-of-service, or handling of personal/sensitive data. In an agent automation toolkit, this omission can normalize unauthorized collection or automated actions against third-party sites, increasing legal, privacy, and abuse risk.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The auto-trigger list is unusually broad and includes generic phrases like 'build agent', 'custom agent', and 'model selection', which can cause this skill to load in many ordinary conversations beyond a narrowly scoped use case. In an agent framework, overbroad auto-activation increases prompt-surface exposure and the chance that operational guidance is injected into unrelated tasks, potentially influencing tool use or workflow decisions unexpectedly.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README tells users to persistently modify shell startup configuration and environment settings without warning about scope, reversibility, or side effects on other Node.js workflows. Because this is a development toolkit skill, users may follow the instructions directly, and a global NODE_OPTIONS change can destabilize other projects, increase resource usage, or create hard-to-diagnose environment drift.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The rule explicitly instructs authors to use strong auto-delegation phrases such as 'MUST BE USED' and 'Use PROACTIVELY' without requiring narrow scope, exclusions, or safety boundaries. In an agent-development toolkit, this can cause over-broad routing of tasks to specialized agents, increasing the chance that sensitive, destructive, or mismatched tasks are automatically delegated to tools or subagents that should not handle them.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The rule explicitly recommends `WebFetch(domain:*)`, which grants agents unrestricted outbound network access without per-domain scoping or user confirmation. In an agent-development toolkit, this is especially risky because the guidance is intended to be reused broadly across many agents, increasing the chance of data exfiltration, SSRF-like access to internal endpoints available from the runtime, or retrieval of untrusted remote instructions/content from arbitrary domains.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill documents transfers, swaps, and arbitrary transaction execution without strong, repeated user-facing warnings that these actions can irreversibly move or lose assets. In an agent context, this increases the chance that an autonomous system performs high-risk financial actions without sufficient friction, confirmation, or safety framing.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Documenting that all actions are allowed by default if no policies are set is highly dangerous because it creates an initially unrestricted wallet capable of agent-directed spending and contract interaction. If the API key is used before the owner configures policies, the agent may perform transfers, swaps, or arbitrary contract calls with effectively no guardrails.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal