Crypto Price Alert

Security checks across malware telemetry and agentic risk

Overview

This crypto alert skill is coherent and non-executable, but users should handle portfolio details and notification credentials carefully.

Before installing, use dedicated low-privilege notification credentials, private channels, and secure secret storage. Provide only the holdings needed for tracking, avoid wallet seed phrases or exchange trading keys, and confirm how alerts, reports, and stored configuration can be reviewed, changed, or disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly handles sensitive financial information such as portfolio holdings and sends alerts through third-party services including Telegram, Discord, Slack, email, and external market-data APIs, but it provides no privacy or security warnings about data exposure, credential handling, or the risks of sharing financial metadata with those providers. This omission can mislead users into providing bot tokens, webhook URLs, SMTP credentials, and portfolio details without understanding that these services may log, retain, or expose that information if misconfigured or compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal