one-wallet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent one-wallet CLI guide, but it gives an agent high-impact wallet, signing, and transaction authority with some under-scoped safety controls.

Install only after verifying the one-wallet package and repository. Use testnet or low-value wallets first, avoid pasting real private keys into chat or shell commands, prefer a dedicated secret manager, and require explicit human confirmation before any send, token approval, contract write, or signature.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill activation text is broad enough to trigger on general Ethereum/EVM CLI tasks, causing the agent to preferentially use this skill outside its narrowly intended scope. In a wallet-management skill, overbroad routing increases the chance the agent will perform sensitive operations such as imports, signing, or transaction submission when a safer, more generic, or more constrained workflow would have been more appropriate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal