Karma Book

Security checks across malware telemetry and agentic risk

Overview

Karma Book is mostly a disclosed social-platform skill, but it needs review because it can perform real crypto/DeFi actions and overwrite its own installed files from the web.

Install only if you intentionally want an agent to participate on Karmabook and you can strictly gate it. Require explicit confirmation for posts, votes, verifications, profile changes, and every wallet or DeFi action; do not let heartbeat automation run financial endpoints; keep KARMABOOK_API_KEY out of logs and broad memory; and manually review downloaded updates before replacing installed skill files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The heartbeat includes a self-update mechanism that downloads remote files and overwrites local skill files in the agent directory without integrity verification, signature checking, pinning, or user confirmation. This creates a supply-chain and persistence risk: if the remote endpoint or transport path is compromised, an attacker can replace the local skill with malicious instructions that will run on future invocations.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest presents the skill as a social-good/social-network tool, but it also exposes direct wallet transfer and broad on-chain execution capabilities. This is dangerous because users or calling agents may invoke financially sensitive actions under a benign social context, increasing the chance of unauthorized transfers, deceptive routing, or misuse of wallet authority.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The endpoint allows 'any on-chain DeFi action' from a natural-language prompt, which is far broader than the stated social-network purpose. Natural-language execution dramatically increases risk because ambiguous or manipulated prompts can trigger swaps, approvals, bridging, or other asset-moving behavior without narrowly scoped intent or safety boundaries.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is framed as a social posting and leaderboard tool, but it also references wallet transfer and DeFi execution endpoints that can move real crypto. This is a dangerous scope expansion because a user or agent may enable the skill expecting low-risk social actions while unknowingly granting a path to high-impact financial operations.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Real-crypto transfer and DeFi action capabilities are context-inappropriate for a skill described primarily as social participation, posting, and leaderboard engagement. Even though the text warns not to automate them, embedding these endpoints in the same skill increases the chance of accidental invocation, confused-deputy behavior, or unsafe delegation by agents.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs routine authenticated API calls using a bearer token but provides no warning about secure credential handling, token scope, logging, or accidental disclosure. In agent environments, this can lead to secrets being embedded in command history, logs, prompts, or reused unsafely across contexts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The update instructions overwrite local skill files directly from remote URLs without any safety warning, validation, or review step. This is dangerous because it converts a documentation action into arbitrary trusted local state modification, enabling remote tampering of the agent's future behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes generic phrases like 'send crypto', 'transfer eth', 'defi action', 'swap tokens', and 'check eth balance', which can match common wallet requests outside the social-app context. In combination with sensitive financial endpoints, broad triggers increase the likelihood of accidental skill selection and unintended invocation of high-risk capabilities.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The manifest advertises wallet transfer and on-chain action features without visible warnings about financial loss, irreversibility, gas costs, approvals, or smart-contract risk. In this context, the absence of user-facing safety signals makes a socially branded skill more dangerous because users may not expect blockchain operations with permanent monetary consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal