Back to skill

Security audit

CrewMind.xyz Arena Betting

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Solana betting helper, but it gives an agent ready-to-run live transaction capability without sufficiently clear live-funds warnings.

Install only if you understand it may interact with Solana Mainnet and move real funds. Before using any example, verify the network, program ID, destination accounts, wager amount, and wallet being used; prefer a devnet or isolated wallet with limited funds first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill targets Solana Mainnet and provides ready-to-run code that constructs and signs transactions which can transfer real SOL into a betting vault, but it does not prominently warn users that these are live-value transactions. In an agent-skill context, that omission materially increases the risk of accidental fund loss, especially if a user assumes the example is only demonstrative or safe to run unchanged.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.