x402 Crypto Market Structure

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto market-data MCP integration, with privacy considerations around sending wallet addresses and trading questions to its provider.

Install only if you trust the x402.tunedfor.ai MCP provider. Treat results as informational, confirm before submitting wallet addresses tied to your identity or holdings, and never provide private keys, seed phrases, exchange logins, or other secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger examples are short, natural-language phrases such as 'what is bitcoin doing' and 'should I buy ETH' that can easily appear in ordinary conversation. In systems that use trigger matching to auto-select skills, this can cause unintended invocation of this market-intelligence skill, potentially sending user queries or wallet-related context to the remote MCP service without clear user intent.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill exposes an address risk profiling capability but does not warn users that submitted wallet addresses may be sensitive financial identifiers and will be sent to a third-party service. This omission can lead to privacy harm, unintended deanonymization, or compliance issues, especially when users assume addresses are being analyzed locally or do not understand the data-sharing implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal