Crypto Funding Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it ships a payment API key and has weak controls around paid subscription activation and outbound notifications.

Review before installing or deploying. Do not use the bundled SkillPay key; treat it as compromised, rotate it, and replace it with your own secret stored outside the package. Restrict the service to trusted callers, add authentication and verified payment webhooks, and confirm users have opted into recurring messages and third-party delivery channels.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documentation directly exposes a concrete SkillPay API key and states it is already configured, which is effectively a credential leak. Anyone who reads the file may be able to use the key for unauthorized API calls, incur billing, or abuse the associated account until the secret is revoked.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The README includes what appears to be a real SkillPay API key rather than a placeholder example. Publishing live credentials in documentation can allow unauthorized third parties to use the payment integration, incur charges, impersonate the service, or pivot into related systems if the key is still valid.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The documentation includes a live-looking SkillPay API key directly in a `.env` example, which is a credential exposure issue even if it is only shown in docs. Anyone who copies the example or sees the repository can misuse the key for unauthorized API calls, billing abuse, or account compromise, and the fact that it is tied to payment infrastructure makes the context more sensitive.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The manifest contains a concrete API key directly in skill.json, which is a sensitive secret exposed to anyone who can view or distribute the skill package. This can enable unauthorized use of the associated service, quota theft, billing abuse, or compromise of downstream systems if the key grants broader access than intended.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The quickstart explicitly tells users the paid functionality is ready to use with a preconfigured API key, encouraging execution of chargeable operations without addressing credential ownership, billing exposure, or secret handling. In this context, that materially increases the chance of unauthorized use of someone else's payment account and downstream financial abuse.

Missing User Warnings

Critical

Confidence: 100% confidence
Finding: This section publishes a full SkillPay API key in cleartext and provides no warning about credential sensitivity, billing impact, or secure storage. Because the key appears tied to a payment service, compromise could enable unauthorized transactions or service consumption, making the exposure especially severe in this skill's paid-operation context.

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: The README advertises monitoring and pushing information across third-party platforms like Telegram, Discord, email, X, and RootData without any privacy notice or explanation of what data is collected, transmitted, or retained. This increases the risk of users unknowingly sharing sensitive monitoring results, subscriber identifiers, or credentials with external services.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README instructs users to store numerous secrets in `.env`, including API keys, bot tokens, webhook URLs, and email credentials, but gives no warning about safe secret handling. In practice, users may commit `.env` files, reuse production credentials insecurely, or expose secrets in logs and support channels, leading to account compromise and unauthorized outbound messaging.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documentation explicitly collects and uses user identifiers and contact destinations such as userId, Telegram chat IDs, and email addresses, but it provides no privacy notice, retention policy, consent model, or warning about how this data is stored and processed. In a skill that triggers outbound messaging and payment-linked actions, this omission creates a real privacy and misuse risk because operators or integrators may handle sensitive routing data without adequate safeguards or user awareness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill supports scheduled automated notifications via Telegram, Discord, and email, but the documentation does not adequately warn users about persistent outbound messaging, frequency risks, or possible side effects such as spam, unwanted charges, or repeated delivery to third-party channels. Because scheduled pushes can continue after initial setup, unclear disclosure increases the chance of accidental abuse, over-notification, and delivery to unintended recipients.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The `.env` example contains real-looking secret material without any indication that the values are placeholders or must be replaced, which trains users into unsafe secret-handling practices and may already disclose valid credentials. In this skill's context, the exposed values cover payment and notification channels, so exploitation could lead to fraud, spam, service abuse, or account takeover of integrated services.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The module transmits userId, action, timestamp, and billing-related amount to a third-party API, but there is no evidence in this file of consent, disclosure, minimization, or controls around that telemetry. In a skill context, silent external usage logging can expose user activity patterns and identifiers to an external service, creating privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal