Barra

Security checks across malware telemetry and agentic risk

Overview

This skill is for live Binance BTC buying and is coherent, but it lacks clear mandatory confirmation before spending real funds.

Install only if you intentionally want an agent able to buy BTC on Binance. Use a dedicated, low-balance API key with withdrawals and unrelated permissions disabled, enable IP allowlisting, rotate keys if exposed, and require manual review of symbol, amount, order type, price, fees, and slippage before every live trade.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This skill can place real spot buy orders on a cryptocurrency exchange, but the documentation does not require an explicit user confirmation step immediately before order submission or clearly warn that the transaction may be financially consequential and hard to reverse. In an agent setting that extracts parameters from natural language, this increases the risk of accidental trades, ambiguous intent being treated as authorization, or prompt-manipulated order execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal