Security audit

RedotPay Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RedotPay CLI workflow for service lookup and wallet-backed requests, with explicit confirmation and spend-cap rules before paid actions.

Install only if you intend to use RedotPay from your agent. Before approving any request, check that the agent states the exact service, endpoint, cost, currency, purpose, and spend cap. Treat the CLI installer as a separate trust decision and verify it from RedotPay’s official source before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest description defines very broad trigger phrases such as 'find', 'search', 'request', and 'look up', which are common across many benign user intents. In an agent environment, this can cause the skill to activate unexpectedly and steer queries into RedotPay service discovery or paid-request workflows, increasing the chance of unintended external calls or payment-related actions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.