Back to skill

Security audit

Scout

Security checks across malware telemetry and agentic risk

Overview

Scout is a coherent trust-scoring skill with disclosed local scripts for Moltbook analysis, DM replies, and Base Sepolia USDC payments, but those features should be used deliberately.

Install only if you are comfortable giving the skill a Moltbook API key and making outbound trust-analysis requests. Do not set SCOUT_PRIVATE_KEY unless you intend to allow the local safe-pay script to send Base Sepolia USDC, and prefer --dry-run first. Run dm-bot only when you want it to answer unread Moltbook DMs automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but the skill declares no corresponding permissions. This creates a transparency and least-privilege problem: users and hosting platforms cannot accurately assess what sensitive data the skill may read or what external services it may contact before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared purpose presents the skill as a trust-scoring and payment-gating tool, but the detected behavior extends into DM automation, on-chain analysis, identity registry queries, graph analysis, and autonomous trust/vouching logic. This mismatch is dangerous because operators may approve or invoke the skill under incomplete assumptions, exposing private communications, wallet-linked identity data, and higher-risk autonomous actions than the description suggests.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module presents itself as an Ethereum read-only integration, but `_encodeFunctionCall` derives function selectors with SHA-256 instead of Ethereum's required Keccak-256 ABI selector. As a result, every `eth_call` built by this helper will target the wrong function selector, causing failed calls or misleading null/false results that can corrupt trust scoring and payment-gating decisions.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The bot automatically sends DM replies based on unread messages without any explicit opt-in, sender verification, approval step, or user-facing disclosure at send time. In a messaging environment this can be abused for unsolicited automated responses, accidental engagement with malicious prompts, or reputational damage if the bot replies inappropriately or at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module sends a user-supplied wallet address and related account queries to third-party blockchain explorer APIs, which discloses user interest and account-linkage metadata to external services. In a trust-scoring skill, this is privacy-relevant because queried addresses may be tied to payment decisions, agent identities, or investigation targets, and there is no visible consent, disclosure, or self-hosted alternative in this code path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The transfer method directly submits an on-chain USDC transaction as soon as it is called, with no built-in confirmation, preview, or user-consent checkpoint in this module. In a skill explicitly designed to make trust-gated payments, that creates a real risk that upstream agent logic, prompt injection, or mistaken automation can cause irreversible token transfers without the user clearly authorizing the exact recipient and amount.

Missing User Warnings

High
Confidence
96% confidence
Finding
safePay can automatically execute a real upfront payment after only evaluating internal trust logic, without any explicit user-facing approval in this file before funds are sent. Because the skill's purpose is deciding whether to pay agents, this context makes the issue more dangerous: a manipulated trustResult, flawed scoring pipeline, or unauthorized invocation could trigger irreversible payment to an attacker-controlled address under the appearance of a safety check.

External Transmission

Medium
Category
Data Exfiltration
Content
key: opts.basescanKey || '',
      },
      'base': {
        url: 'https://api.basescan.org/api',
        key: opts.basescanKey || '',
      },
      'ethereum': {
Confidence
80% confidence
Finding
https://api.basescan.org/

External Transmission

Medium
Category
Data Exfiltration
Content
key: opts.basescanKey || '',
      },
      'ethereum': {
        url: 'https://api.etherscan.io/api',
        key: opts.etherscanKey || '',
      }
    };
Confidence
80% confidence
Finding
https://api.etherscan.io/

Unpinned Dependencies

Low
Category
Supply Chain
Content
"safe-pay": "node scripts/safe-pay.js"
  },
  "dependencies": {
    "@neondatabase/serverless": "^1.0.2",
    "ethers": "^6.11.0"
  }
}
Confidence
89% confidence
Finding
"@neondatabase/serverless": "^1.0.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@neondatabase/serverless": "^1.0.2",
    "ethers": "^6.11.0"
  }
}
Confidence
90% confidence
Finding
"ethers": "^6.11.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.