Celo Agent Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Celo developer skill bundle, but it needs Review because many examples can spend funds, expose wallet or secret data, or make public irreversible blockchain changes without strong adjacent safety gates.

Review before installing if your agent may run commands or generate production code from skills. Use testnets first, require explicit human confirmation before deploy, transfer, approve, bridge, x402 payment, or raw transaction broadcast, keep private keys and mnemonics out of source control and logs, and expose local services with ngrok only for intentional testing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (27)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples show on-chain agent registration and later reputation writes without clearly warning that these actions create permanent, public blockchain records and may incur irreversible costs. In a skill intended for AI-agent development, omission of that warning can cause users or downstream agents to publish identity and metadata unintentionally, increasing privacy, compliance, and operational risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The feedback example submits endpoint URLs, feedback URIs, and hashes without warning that this data may be stored on-chain or otherwise exposed externally. That can leak infrastructure details, sensitive references, or correlatable metadata, especially in a trust/reputation protocol where identifiers and service endpoints are central to discovery.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The paid-request example wraps fetch with x402 payment support and can initiate value-bearing network requests, but it does not warn the reader that calling the function may spend funds. In an agent-oriented skill, this is more dangerous because autonomous integrations may execute examples directly, turning a documentation snippet into unintended payment authorization behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example calls a payable bridge function that moves real assets on-chain, but it does not include any explicit user-facing confirmation or warning that funds will be bridged and may be delayed, irreversible, or subject to bridge risk. In an agent or app context, developers may copy this pattern directly, leading to unintended transfers if the function is triggered without a clear pre-execution consent step.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The LI.FI example progresses from quote retrieval to route execution without showing a mandatory user review step, even though executeRoute may initiate approvals, swaps, and cross-chain transfers. Because cross-chain operations can be complex and partially irreversible, omitting a warning materially increases the risk that integrators build unsafe UX or agent-driven flows that move user funds unexpectedly.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes deployment commands that can submit on-chain transactions with `--broadcast` or network-targeted deploy steps, but it does not clearly warn users that these actions may spend funds, deploy immutable contracts, or affect public testnet/mainnet state. In a scaffolding skill for developers, users may copy-paste commands directly, increasing the chance of unintended chain interactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to place a raw `PRIVATE_KEY` in an environment file without any security guidance. This is dangerous because developers may store live keys in plaintext, accidentally commit them to source control, reuse production wallets, or expose them through local tooling and CI logs.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The MiniPay template explicitly recommends auto-connecting a wallet on page load when `window.ethereum?.isMiniPay` is detected, without any mention of a user-facing notice, opt-in, or consent flow. Even if no transaction is signed automatically, implicit wallet connection can expose account information, create confusing trust boundaries, and normalize consent-less wallet access patterns in dApps built from the template.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill provides executable approval and transaction examples that can grant third-party spending rights or move real on-chain assets, but it does not warn users about the consequences of signing these transactions. In a developer skill focused on DeFi integrations, omission of such warnings increases the chance that users will copy-paste examples against mainnet and unintentionally expose funds through overbroad approvals or irreversible transfers.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill introduces swaps, lending, borrowing, and liquidity provision without warning about liquidation risk, slippage, smart-contract risk, or irreversible losses. Because this is a DeFi integration guide intended to help developers build financial flows, missing risk disclosures makes misuse more likely and can lead to unsafe product implementations that expose end users to avoidable financial harm.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill instructs users to interact with third-party RPC providers, including API-key-backed endpoints, but does not disclose that queried addresses, transaction hashes, metadata, and usage patterns are exposed to those providers. This is a real privacy and operational-security issue, especially for production or sensitive workflows, even though the examples are otherwise standard documentation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation states that standard RPC methods include eth_sendRawTransaction without warning that broadcasting a signed transaction is state-changing, publicly visible, and generally irreversible once propagated and mined. In a developer skill, omitting that warning can lead to accidental mainnet submission, unintended fund loss, or unintended contract state changes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes copy-pastable token transfer commands and code that will submit real onchain transactions, but it does not clearly warn users that these examples can move mainnet funds if run as written. In a blockchain developer skill, that omission is risky because users may overlook network, token decimals, recipient address, or the use of a live private key and unintentionally transfer irreversible real assets.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill includes examples that instruct users to supply a raw private key via environment variables and command-line usage without any accompanying warning about credential sensitivity, storage hygiene, or safer alternatives. While common in developer docs, this can normalize insecure secret handling and increase the chance of accidental key disclosure through shell history, checked-in .env files, or shared environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document includes a .env template that instructs users to place a raw private key directly in an environment variable, but it does not include any warning about secure secret handling, use of dedicated deployer keys, or avoiding committing secrets to source control. In a blockchain deployment context, exposing a private key can immediately lead to irreversible loss of funds, unauthorized deployments, or takeover of privileged on-chain roles.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes ready-to-run deployment and transaction commands that use real RPC endpoints, `--broadcast`, and raw private keys without an explicit warning that these perform irreversible on-chain actions and may spend real funds. In an agent-skill context, this is risky because users or downstream automation may copy or invoke the commands without appreciating that they target live networks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to store a raw blockchain private key in a .env file without any guidance on secure handling, exclusion from version control, or use of safer signing options. In a developer workflow skill, this can lead to accidental key disclosure through git commits, shell history, screenshots, backups, or CI logs, resulting in wallet compromise and theft of on-chain assets.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill provides a one-line command for Celo mainnet deployment without clearly warning that this performs a real, irreversible transaction and consumes funds. In instructional content, omission of that warning increases the chance of accidental mainnet deployment, unintended contract publication, and avoidable financial loss.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference documentation includes example Hardhat network configuration using PRIVATE_KEY and MNEMONIC for account loading but does not warn users that these are highly sensitive secrets that must never be hardcoded, committed, logged, or shared. In a developer playbook, omission of secret-handling guidance can lead to credential exposure and unauthorized control of deployment wallets.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes code that immediately requests wallet access and demonstrates token transfer flows without any explicit warning that these actions can trigger permission prompts or move real funds. In a wallet-integration playbook, this is dangerous because developers may copy the examples verbatim into production UX, leading to user surprise, consent issues, and accidental transfers on mainnet-supported environments like MiniPay.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The example demonstrates account-based transaction submission that can move assets and consume gas, but it does not explicitly warn implementers that invoking this flow triggers a wallet signing action with financial consequences. In an agent-skill or copy-paste documentation context, missing consent guidance increases the risk that developers embed transaction flows without clear user confirmation UX, leading to unintended asset transfers or deceptive prompting patterns.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The hook calls eth_requestAccounts during initialization without warning that it will trigger a wallet permission prompt and reveal the user's address to the application. Automatically requesting accounts on load is a known poor security/privacy pattern because it conditions users to approve access reflexively and may disclose wallet information before meaningful consent is obtained.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill demonstrates server-side initialization with `THIRDWEB_SECRET_KEY` but does not explicitly warn that the secret must never be exposed to browser bundles, client code, logs, or public env vars. In a developer playbook, omission of credential-handling guidance can lead users to copy the pattern insecurely, causing API key compromise and unauthorized use of thirdweb resources.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The transfer example shows a live asset-moving transaction with no warning that blockchain transactions are irreversible and may transfer real funds if used against production contracts. In a copy-paste oriented skill, this increases the risk of accidental token loss, misuse of hardcoded recipient addresses, or unsafe UX patterns that do not require explicit user confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes ready-to-copy examples for ERC20 approvals and transfers, which are asset-moving and permission-granting operations, but it does not warn users that these calls can move funds or authorize third parties to spend tokens. In an agent skill context, this omission is riskier because an automated system may surface or reuse the snippets without adding UX safeguards, increasing the chance of accidental or overly broad approvals.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal