Back to skill

Security audit

Flashloan

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a flashloan analysis tool, but the artifacts show it is actually a local text-entry manager that stores, deletes, and exports user input.

Install only if you want a simple local log stored under ~/.flashloan, not a real flashloan or protocol-security analysis tool. Do not enter secrets, wallet details, private investigation notes, or sensitive prompts unless you are comfortable with plaintext local storage and possible export into the working directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented commands implement CRUD and filesystem-oriented operations rather than flashloan or blockchain analysis. In an agent environment, this can mislead tool selection and cause the skill to be invoked in sensitive contexts where local disk manipulation is unexpected, enabling data exfiltration via export or data tampering via remove/config functions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill documentation says it is for flashloan analysis, but the listed usage modes are generic record-management actions like add, list, and remove. Internal contradiction reduces operator trust and can cause unsafe assumptions about what the skill will do, especially when an autonomous system chooses tools from descriptions rather than inspecting implementation details.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s stated purpose is flashloan analysis, but the implementation is a generic local note/config tracker. This mismatch is dangerous because users or higher-level agents may grant trust, invoke it in sensitive workflows, or pass blockchain/security-relevant inputs under false assumptions, while the skill instead persists arbitrary local data to disk.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The inline description explicitly claims flashloan-analysis capability even though the script only stores, lists, searches, removes, and exports local entries. Deceptive documentation increases the chance that users or orchestrating agents will misuse the skill in security-sensitive contexts and expose data to unintended local persistence.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The help text advertises flashloan analysis while presenting only generic CRUD-style commands. This is a trust-boundary problem: it can mislead users into supplying sensitive operational or analytical data to a tool that does not perform the promised function and instead writes data locally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script creates a persistent data directory and writes arbitrary user-supplied content there, despite no justified relationship to flashloan analysis. Unnecessary persistence broadens the attack surface by retaining potentially sensitive data and enabling hidden state across runs, which is especially problematic in agent/tooling environments.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation text is broad enough that an agent may select this skill whenever blockchain or security concepts are mentioned, even though the documented commands are unrelated local data operations. That overbroad trigger surface increases the chance of accidental invocation and unintended side effects in contexts where users expect read-only analytical behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes destructive and file-writing commands such as remove and export without any warning, confirmation, or safety notes. In an agent-assisted workflow, undocumented write/delete behavior can lead to silent data loss, persistence of sensitive information, or creation of export files in locations the user did not anticipate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-provided entries are written to disk without prior disclosure or consent. In an agent setting, this can silently persist prompts, analysis artifacts, secrets, or other sensitive local data, creating privacy and data-governance risks that users may not anticipate.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The remove command deletes stored entries immediately with no confirmation or dry-run behavior. While not a code-execution issue, it creates integrity and availability risk by allowing accidental or automated deletion of local data with little user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.