Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Crypto Whale Monitor
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says: check public crypto wallet balances through an Ethereum RPC endpoint and print alerts.
Install only if you are comfortable sending the wallet addresses you monitor to the configured Ethereum RPC provider. If RPC_URL includes an API key, treat it as sensitive and use a limited-purpose provider key where possible. Only create a cron job if you intentionally want ongoing background monitoring.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Natural-Language Policy Violations
Low
- Confidence
- 95% confidence
- Finding
- The code hard-codes `toLocaleString('en-US', ...)`, which imposes a specific locale on all users. The policy for this audit flags language/locale constraints unless the user is given a choice or the constraint is clearly justified as region-specific.
VirusTotal
66/66 vendors flagged this skill as clean.