social-value

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real micropayment wallet skill, but it should be reviewed carefully because it can control a mainnet wallet and move funds without strong nearby confirmation guidance.

Install only if you intentionally want an agent-controlled wallet. Start on testnet, set a low maximum balance, protect the mnemonic like cash, and require explicit confirmation for every mainnet transfer, batch payout, or withdrawal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This section walks the operator through creating and funding a real-money wallet from a BIP39 mnemonic, but it does not prominently require confirmation of network selection before setup or first use. Because the default network is later documented as mainnet, a user could unintentionally initialize and transact with real funds when they expected a safer test environment, leading to irreversible financial loss.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples demonstrate live fund-moving operations such as transfers, batch payouts, and withdrawals without nearby confirmation or safety guidance. In an agent skill context, copy-pasted examples or automated use of these snippets could cause unintended irreversible payments, especially since destinations and amounts are externally supplied and the wallet controls real funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal