Back to skill

Security audit

trade-with-aiusd

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AIUSD trading skill, but it needs review because it can move funds and its installers and auth reset flows make broad local changes.

Install only from a trusted AIUSD source and inspect the extracted package before running either installer. Do not use it on a shared host or a machine with unrelated wallet, exchange, or API credentials. Require explicit human confirmation for every trade, stake, withdrawal, and gas top-up, including asset, amount, destination, network, fees, and expected result. Treat reauth/reset commands as destructive because they can remove shared local authentication state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a trading/account-management reference, but the documented behavior also includes installation, archive extraction, directory replacement, and package installation. That mismatch is security-relevant because an agent or user may grant trust appropriate for a read-only financial skill while actually being guided into executing system-level changes and third-party code.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file presented as a trading/account-management skill is actually an installer that unpacks an opaque embedded archive and runs package installation steps locally. This is dangerous because it expands the skill's capability from declared business logic into arbitrary code delivery and execution, which users would not reasonably expect from the manifest description.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Importing child_process and then invoking shell commands to extract and install software gives the skill arbitrary local execution capability unrelated to its stated trading purpose. In the context of an agent skill, this is especially dangerous because it can execute unreviewed code paths and system commands on the host during setup.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer forcibly removes an existing aiusd-skill directory before reinstalling, causing destructive local changes not justified by the stated trading functionality. This can lead to data loss, overwrite trusted content, or clear evidence of prior inspection before replacing it with newly extracted contents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer runs `npm install` on code extracted from an embedded archive, which will execute package lifecycle scripts such as `preinstall`, `install`, and `postinstall`. Because the archive contents are opaque in this file and the skill is a cryptocurrency trading/account-management tool likely to handle API keys and wallet-related secrets, this creates a direct arbitrary-code-execution path during installation.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The script unconditionally removes an existing `aiusd-skill` directory with `rm -rf` before extraction. This can destroy user data, local configuration, API credentials, logs, or custom modifications stored in that directory, especially dangerous for a trading skill where configuration may contain exchange secrets.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README describes a very broad skill purpose and natural-language operation model for sensitive financial actions across many chat platforms. In an agent ecosystem, vague invocation scope can increase the chance of unintended activation or misrouting of ordinary conversation into balance checks, trades, withdrawals, or other account-affecting actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README actively encourages trading, staking, withdrawals, and gas top-ups through conversational prompts, but it does not prominently warn users that these actions can move funds, incur fees, or create irreversible financial loss. In a chat-driven assistant, presenting these actions casually increases the risk that users trigger real transactions without understanding the consequences or that an agent executes them without adequate friction.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The re-auth flow instructs clearing credential caches and token files, which is a destructive action affecting local auth state, but it does not clearly warn about what will be deleted or the operational consequences. This can cause account/session disruption, accidental loss of stored credentials, or confusion in shared or managed environments.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Recursive deletion without any confirmation or safety checks is a destructive behavior that can remove local files unexpectedly. Even though the path is fixed under the current working directory, in a skill context this still creates avoidable risk of data loss and makes malicious replacement easier.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Deleting an existing installation without prior confirmation is unsafe because users may lose important state or secrets unexpectedly. In the context of a crypto trading skill, silent overwrite/removal raises the risk of losing API config, strategy files, or audit-relevant transaction data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer executes `npm install` from untrusted extracted content without a clear warning that installation scripts may run code. Users may believe they are only unpacking the skill, while package lifecycle hooks can perform arbitrary actions such as exfiltrating credentials, modifying files, or installing persistence.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
This skill calls the AIUSD backend via MCP. Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling. **Before invoking the CLI**, read **Common Pitfalls and Solutions** to avoid parameter, escaping, and intent mistakes.

## ⚠️ Agent Output Guidelines

**CRITICAL - ABSOLUTELY FORBIDDEN PHRASES**:
Agents must NEVER use these words or phrases when responding to users:
Confidence
95% confidence
Finding
Output Guidelines

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
aiusd-skill-installer.js:58