Crypto Listing Alert

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-related, but it should be reviewed because it instructs the agent to handle Telegram/Discord bot tokens and API keys in ways that can expose secrets.

Review the SKILL.md before installing. Only use it with bot tokens you are willing to risk, prefer least-privilege throwaway bots, avoid putting API keys directly on command lines, and do not let the skill read broad local configuration files unless you understand exactly which credentials it will access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to pull Telegram/Discord bot tokens from local config and to pass API keys on the command line. That creates a real secret-handling risk: command-line arguments may be exposed via process listings, logs, telemetry, shell history, or downstream tool output, and reading unrelated config secrets broadens access beyond least privilege.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal