Trade

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent token-trading helper, but it can execute real authenticated wallet swaps through an unpinned external CLI without a required final confirmation step.

Install only if you are comfortable allowing an agent to use an authenticated wallet trading CLI. Before any swap, manually verify the active wallet, Base network, token addresses, amount, expected output, fees, and slippage, and require an explicit final confirmation; prefer a pinned reviewed version of the `awal` CLI over `@latest`.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill enables real token swaps but does not require an explicit user confirmation or prominently warn that trades are irreversible, subject to slippage, and can result in value loss. In an agent setting, this increases the chance of unintended asset movement from ambiguous prompts, misunderstood amounts, or token-selection mistakes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal