AgentPay SDK

Security checks across malware telemetry and agentic risk

Overview

This AgentPay skill is coherent for wallet payments, but it needs Review because it can install persistent payment tooling, move crypto funds, and uses under-scoped install and payment defaults.

Install only if you trust the AgentPay publisher and the wlfi.sh installer. Prefer a verified or inspected installer, use a dedicated wallet with limited funds, enable spending limits and manual approvals, keep vault and backup passwords out of chat, and explicitly confirm network, asset, recipient, spender, amount, broadcast flag, and any MPP --amount cap before authorizing payments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill description is very broad and can trigger on many payment-, install-, and policy-related requests, increasing the chance the agent invokes a funds-moving or system-changing skill when a narrower, safer skill would be more appropriate. In a payment context, unintended invocation is more dangerous because it can lead to wallet setup, funding guidance, or transaction execution workflows being initiated without a tightly scoped user request.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes installation and setup commands that modify the host, including a one-line remote installer, but does not prominently warn that these actions change the system and may install services or alter local configuration. Because this skill also mentions daemon management and OS service integration, lack of warning raises the risk that users or agents execute impactful commands without informed consent.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill advertises sending assets, approving allowances, and broadcasting transactions but does not clearly warn that these actions can irreversibly move funds or grant token spending authority. In a wallet/payment skill, omission of that warning is especially dangerous because users may not appreciate that approvals and broadcasts can have permanent onchain consequences.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest allows implicit invocation while advertising a very broad scope: installation, wallet setup/reuse, funding checks, policy guidance, approvals, transfers, broadcasts, and merchant payment flows. In a financial skill, this increases the chance the agent will autonomously route into sensitive payment operations without a tightly scoped user trigger, which can lead to unintended fund movement or unsafe operational guidance.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The document instructs users to execute a remotely fetched script directly with `bash`, with no integrity verification, pinning, signature check, or review step. In a skill intended for agent-driven installation and wallet/payment tooling, this is especially dangerous because compromise of the remote host, DNS/TLS path, or installer supply chain can lead to immediate arbitrary code execution and credential or wallet theft.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The one-click update path repeats the same unsafe remote-script-to-shell pattern and omits any warning that the command will modify local runtime, services, credentials, or wallet-related components. Update flows are often trusted and re-run routinely, which increases the chance of silent compromise if the installer source is tampered with.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guidance tells the agent to export an encrypted wallet backup to an arbitrary user-specified path but omits any warning that the file is highly sensitive, should be stored securely, and should not be written to insecure or shared locations. In a payment/wallet-management skill, that omission increases the chance of credential material being exposed through weak file placement, backups, syncing folders, or accidental sharing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The restore instruction directs use of a backup file without warning that restoration changes wallet state and must only be performed from a trusted, verified backup. In this context, using an untrusted or wrong backup could replace access to the intended wallet, disrupt operations, or restore attacker-controlled state/material.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly states that when --amount is omitted, the CLI pays whatever amount the server requests in the 402 challenge. In a payment-enabled agent skill, this creates real spend risk because a malicious or compromised endpoint can demand an unexpectedly high amount and the example normalizes blind auto-payment without a strong warning or safe default.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal