Dexscreener CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is for DexScreener market-data lookup, but it automatically installs an unpinned third-party npm CLI globally before use.

Review before installing. The skill appears intended to query public crypto market data, but first use can install a third-party npm package globally. Verify the exact package name and publisher, consider installing a pinned version yourself, and only allow it if you are comfortable with persistent changes to your Node/npm environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically run `npm install -g` for a third-party package and then execute the resulting CLI, but the description does not clearly warn the user that arbitrary external code may be installed and run on the host. This is dangerous because global package installation introduces supply-chain and execution risk, especially in an agent context where users may believe they are only performing a read-only API query.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal