Back to skill

Security audit

Urufu Agent

Security checks across malware telemetry and agentic risk

Overview

This wallet-game skill is largely transparent, but it needs review because it asks an agent to hold wallet-signing secrets and includes a paid mint path that can spend ETH/URU without an independent confirmation or enforced cooldown.

Install only if you are comfortable giving the agent a dedicated low-value wallet or scoped session key. Do not use a main wallet private key, keep secrets out of chat and shell history, prefer secure secret storage, verify the Urufu repo and relay URLs, run previews before any paid mint, and rotate any key that was pasted or stored unsafely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The OpenAPI spec exposes multiplayer room creation/join operations that are outside the stated skill purpose of portfolio viewing, yield claiming, and minting. This scope expansion increases the agent's reachable attack surface and could let an invoking user or prompt chain drive the agent into unintended networked game/session behavior, including account/session handling not anticipated by the manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The API schema returns session tokens and WebSocket connection details for multiplayer rooms even though the skill is described as a wallet/claim/mint agent. Exposing live session credentials and realtime connection parameters to an agent broadens the consequences of prompt misuse or exfiltration, because the agent may obtain bearer-style access material unrelated to the advertised wallet actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The CLI implements a `mint-paid` capability that can spend user funds, but the skill metadata/description only mentions portfolio checks, yield claims, and gasless minting. This mismatch can mislead users or higher-level agents into invoking a paid on-chain action they did not expect, which is especially risky in a wallet-connected automation context.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill explicitly requires the agent to use a fixed 'urufu voice' for all game talk without any user opt-in or accessibility fallback. While not a code-execution issue, this can override platform/user communication preferences, reduce clarity for security-sensitive actions like claims or mints, and normalize instruction-following behavior imposed by untrusted skill content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to export a private key directly into environment variables, which can expose secrets through shell history, process inspection, crash reports, logs, or inherited subprocess environments. Although the file does say not to use a main seed in chat and suggests a session key or hot wallet, it still normalizes an unsafe secret-handling pattern for a credential that can authorize on-chain actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to export a wallet address and a raw private key in shell environment variables, but it does not provide clear warnings about credential exposure risks such as shell history, process inspection, shared terminals, CI logs, or accidental persistence in developer environments. In the context of a wallet-managing agent skill, this is especially sensitive because compromise of the private key could directly enable unauthorized claims or broader wallet abuse depending on key scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The gasless write endpoints instruct agents to generate wallet-linked EIP-712 signed intents and transmit them to external servers, but the spec does not prominently warn that these signatures, wallet addresses, token selections, and deadlines are being sent to third-party infrastructure. In an agent setting, insufficient disclosure increases the risk of users authorizing actions without understanding that signed payloads and wallet-linked metadata are leaving the local trust boundary.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description contains several broad natural-language trigger phrases such as 'claim URU', 'mint chibi', and 'agent play urufu' that could plausibly appear in ordinary conversation and unintentionally activate the skill. Because this skill can drive wallet-related actions, accidental invocation increases the risk of prompting sensitive operations or exposing users to unintended transaction flows, even though the file also states some explicit-command safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to create and export a read-write `BANKR_API_KEY` that can sign and submit wallet-affecting actions, but it does not clearly warn that this credential is highly sensitive and effectively grants transaction authority over the managed wallet. In an agent-skill context, normalizing use of such a key without explicit safety guidance increases the chance of accidental exposure, unsafe storage, or unintended wallet actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to export a private key directly into an environment variable for claim/mint operations, but it does not include an explicit warning about key sensitivity, scope limitation, storage risks, or the recommendation to use a dedicated low-privilege/session key. In an agent-execution context, this is dangerous because users may provide a broadly privileged wallet key to automation tooling, increasing the chance of theft, misuse, logging exposure, shell history leakage, or accidental reuse across environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code directly performs ERC-20 approval and then submits a paid mint transaction using the configured private key, with no in-file confirmation, spend cap prompt, or independent user consent checkpoint. In the context of an agent skill that can trigger on natural-language requests and uses the user's wallet/RPC, this creates a real risk of unintended token spending or irreversible on-chain actions if the skill is invoked unexpectedly, misconfigured, or manipulated upstream.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the user's wallet address, mint intent signature, Merkle proof, and mint parameters to a remote `${config.siteUrl}` relay endpoint. Even if this is required for a gasless mint flow, it exposes signed authorization material and wallet-linked activity to an off-chain service without any in-file consent, trust validation, or visible restriction on what endpoint may receive it, which creates privacy and misuse risk if the relay or configuration is malicious or compromised.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function loads a private key via `requireSigner(config)` and uses it to sign EIP-712 mint intents. While signing is expected for this feature, direct private-key access inside an automation skill increases key-exposure risk because compromise of the runtime, logs, dependencies, or configuration can lead to unauthorized signing, and the file provides no guardrails such as hardware-wallet isolation or explicit approval flow.

Session Persistence

Medium
Category
Rogue Agent
Content
**Human:** 0xabc…

**Agent:** got it. next: base rpc. urufu dont host one — grab free alchemy base mainnet (alchemy.com → create app → base → copy https url). paste it here OR set `URUFU_RPC_URL` on ur vm and say "done"

**Human:** done, set on my vm
Confidence
73% confidence
Finding
create app → base → copy https url). paste it here OR set `URUFU_RPC_URL` on ur vm and say "done" **Human:** done, set on my vm **Agent:** last thing for writes: session key on ur agent vm as `URUFU

Unpinned Dependencies

Low
Category
Supply Chain
Content
"test": "node --test policy.test.mjs steward.test.mjs mint.test.mjs"
  },
  "dependencies": {
    "viem": "^2.48.4"
  }
}
Confidence
89% confidence
Finding
"viem": "^2.48.4"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/install-hermes.mjs:21

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/package-hermes.mjs:67