Security audit

ens-manager

Security checks across malware telemetry and agentic risk

Overview

This ENS skill appears purpose-built rather than malicious, but it asks agents to handle wallet secrets and submit real mainnet transactions with weak safeguards.

Install only if you are comfortable letting an agent handle Ethereum wallet credentials and submit mainnet ENS transactions. Use a fresh low-balance wallet, run dry-runs first, avoid command-line passwords and raw private keys, manually verify the name, duration, chain, signer, recipient, and ETH cost before any write, and do not rely on the registration script until the keystore/account-binding issue is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (17)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script decrypts a keystore and returns a private key, but that key is never bound to the viem wallet client. As written, registration transactions may fail, use an unintended default account, or mislead users into thinking the supplied keystore controls the registration flow when it does not. In a skill that performs irreversible on-chain registrations and payments, that mismatch is materially dangerous because users may pay gas or attempt purchases under the wrong account context.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The troubleshooting advice tells users to recursively change ownership of the entire ~/.npm directory with sudo without narrowing scope or explaining the risk. Broad ownership changes can weaken local system security, mask underlying permission problems, and encourage unsafe privilege escalation habits in a wallet- and key-handling workflow.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document recommends storing a wallet private key in an environment variable but does not warn that environment variables may be exposed through shell history, process listings in some contexts, logs, CI systems, crash reports, or inherited subprocess environments. In an ENS manager that performs blockchain transactions, exposure of a private key can directly lead to unauthorized transfers or domain changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions include `gh repo delete ens-manager --yes`, which is a destructive command that can permanently remove a repository and associated metadata without any warning about data loss, confirmation safeguards, or backup steps. In a publishing guide, users may copy-paste troubleshooting commands verbatim, making accidental deletion plausible.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The quick-start includes copy-paste examples that pass wallet passwords and private keys directly on the command line. In an autonomous-agent context, this is dangerous because CLI arguments can be exposed via shell history, process listings, logs, telemetry, or job runners, leading to compromise of the wallet and irreversible loss of blockchain assets or control of ENS names.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document presents real mainnet ENS registration and subdomain creation commands as copy-paste-ready automation steps, with only cost/time notes and no prominent warning that these actions spend funds and may create permanent or hard-to-reverse on-chain state. In an agent-oriented quick-start, that increases the chance of accidental execution by users or autonomous systems, causing unintended registrations, transactions, and financial loss.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to pass a keystore password directly on the command line while performing live on-chain write operations that spend ETH. This is dangerous because shell history, process listings, logs, or screenshots can expose the password, and the commands trigger irreversible blockchain transactions without prominent warnings about real fund usage.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README tells users to upload website content to IPFS and publish it through ENS gateways without warning that the content may become publicly accessible, replicated, cached, and hard to retract. Users may unintentionally publish sensitive files or private site content under a permanent or widely mirrored address.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The examples repeatedly pass the keystore password directly on the command line, which can expose the secret through shell history, process listings, logging, and CI telemetry. Because this skill manages blockchain assets, leakage of the keystore password can enable wallet compromise if an attacker also obtains the keystore file.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The markdown provides concrete ENS write-operation examples and workflow steps for creating subdomains and setting resolvers/content hashes, but it does not clearly warn that these actions submit real on-chain transactions, spend funds, and can make externally visible or hard-to-reverse changes to ENS records. In an agent skill that helps users manage ENS names, this omission increases the risk that users or downstream automation execute writes against mainnet unintentionally, causing unwanted registration/state changes and financial loss from gas or misconfiguration.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Accepting the keystore password via a --password CLI flag exposes the secret through shell history, process listings, CI logs, and terminal telemetry. In this skill's context, that password protects a wallet used to sign ENS transactions, so disclosure can lead to private key recovery and unauthorized on-chain actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Accepting the keystore password directly on the command line exposes it to shell history, process listings, logging, and multi-user system inspection. Because this script is intended to decrypt a wallet keystore for real Ethereum transactions, password disclosure can lead to private key compromise and theft of funds if an attacker also obtains the keystore file. The blockchain context makes this more dangerous than a generic CLI secret leak because the affected credentials protect valuable on-chain assets.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **Install if needed:** - macOS: `brew install node` - Ubuntu: `curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs` - Windows: Download from https://nodejs.org ---
Confidence: 96% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **Install if needed:** - macOS: `brew install node` - Ubuntu: `curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs` - Windows: Download from https://nodejs.org ---
Confidence: 96% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: **Install if needed:** - macOS: `brew install node` - Ubuntu: `curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs` - Windows: Download from https://nodejs.org ---
Confidence: 96% confidence
Finding: sudo -E

Chaining Abuse

High

Category: Tool Misuse
Content: **Install if needed:** - macOS: `brew install node` - Ubuntu: `curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs` - Windows: Download from https://nodejs.org ---
Confidence: 97% confidence
Finding: && sudo

Chaining Abuse

High

Category: Tool Misuse
Content: **Install if needed:** - macOS: `brew install node` - Ubuntu: `curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs` - Windows: Download from https://nodejs.org ---
Confidence: 97% confidence
Finding: | sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal