Security audit

TruCheq Protocol

Security checks across malware telemetry and agentic risk

Overview

This marketplace skill is coherent, but it enables payments, uploads, and seller messaging without clearly requiring user confirmation first.

Review before installing if an agent may act on ambiguous prompts. Use only a trusted TRUCHEQ_API_URL, do not provide private keys or secrets, and require explicit confirmation before any payment, upload, World ID proof verification, or XMTP message is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation instructs an agent to perform real-world effect actions—sending XMTP messages, uploading content, and especially initiating x402 payments—without explicit guidance to obtain fresh user confirmation or warn about irreversible financial and privacy consequences. In an agent setting, this can lead to unintended fund transfers, disclosure of wallet addresses or messages, and user surprise because the documented flows normalize transactional actions as routine steps.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.