OpenMM Grid Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated crypto grid-trading skill that can place real exchange orders, but that capability matches its stated purpose and is not hidden.

Install this only if you intentionally want automated crypto trading. Run --dry-run first, use trade-only exchange API keys with withdrawals disabled, provide only the exchange key you need, start with small sizes and conservative limits, and monitor the bot while it is running.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes non-dry-run trading commands that appear ready to execute live orders, but it does not clearly and prominently warn that these examples can place real trades and cause financial loss. In an agent context, users may copy or authorize these commands without realizing they are not simulations, increasing the risk of unintended live trading.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal