Agent Fuel

Security checks across malware telemetry and agentic risk

Overview

This skill is openly about wallet automation, but it gives agents automatic real-money spending paths with weak scoping and unsafe shell execution patterns.

Install only after review. Use a dedicated low-limit wallet and funding source, disable daemon and x402 auto-pay by default, require manual confirmation for buys and sends, and do not trust this version for arbitrary 402 responses until shell execution, recipient validation, allowlists, cooldowns, and kill-switch behavior are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script allows a configuration value (notifyCmd) to define an arbitrary shell command, which is unrelated to the core wallet-monitoring logic and is later executed. In a wallet-management skill that can trigger payments, this expands the trust boundary to whoever can modify the config file and enables direct code execution on the host.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The notification hook uses eval on a configurable string, which allows shell metacharacters and command chaining to execute arbitrary commands. Because this runs inside an autonomous payment/top-up tool, successful exploitation can lead to host compromise, secret theft, or unauthorized financial actions beyond notifications.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code constructs shell commands with interpolated values from configuration (`chain`, `currency`) and executes them via `execSync`. If an attacker can modify the config file or influence environment/setup, shell metacharacters can turn a wallet-balance check into arbitrary command execution on the host, which is far more dangerous than the skill’s stated wallet-management purpose.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The x402 payment path decodes attacker-controlled header data and interpolates `requirements.payTo` and `amount` directly into a shell command. A malicious server can return a crafted payment header that triggers arbitrary command execution or redirects funds, making this a severe remote attack surface in addition to unauthorized payment behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes autonomous crypto purchases and automated payment signing as a core feature, but it does not present a prominent upfront warning that this skill can trigger real-money buys, token swaps, and paid API requests. In the context of an agent skill, that omission is dangerous because users may enable it expecting routine wallet automation without fully understanding that external financial transactions can be executed automatically on their behalf.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The auto top-up logic is described as an autonomous trigger based on balance thresholds, but it does not define strong activation constraints, confirmation boundaries, cooldown enforcement, or source-of-truth validation for balance and spend state. In practice, noisy balance readings, logic bugs, repeated retries, or adversarial prompting could repeatedly trigger real-money purchases.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill promotes autonomous token purchases and top-ups but does not present an upfront, prominent warning that these actions spend real funds and may incur fees, slippage, or irreversible transfers. Users may enable the skill expecting routine wallet maintenance without understanding that it can initiate fiat-to-crypto purchases automatically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The x402 flow instructs the agent to automatically parse payment requirements, sign a payment, and retry the request, but it does not clearly warn users that an API retry may trigger a paid on-chain or wallet transaction. This can normalize invisible micropayments and create a path for unbounded or spoofed payment demands if header validation and spend controls are weak.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The script can initiate real-money top-up purchases automatically when the monitored balance falls below a threshold, with no interactive confirmation or stronger authorization gate. In the context of autonomous wallet management, mistakes, manipulated balances, bad configuration, or repeated triggering can cause unauthorized or unintended spending.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The configuration explicitly supports arbitrary notification commands, and those commands are executed later via the shell without meaningful safety controls. In a skill that manages wallets and payments, hidden command execution in config is especially dangerous because it can be abused to run unrelated code while appearing to be a benign notification feature.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill automatically pays x402 requests without any explicit user approval, trusted-origin check, or interactive warning. In this context, the feature is especially dangerous because the skill manages real funds and processes payment demands from external services, so a malicious or compromised endpoint can drain wallet balance within configured limits.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal