Back to skill

Security audit

trade-with-aiusd

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for crypto trading, but it combines high-impact financial actions with under-scoped install, auth-reset, and credential-cache behavior that users should review carefully.

Install only if you trust the publisher and are comfortable with a skill that can interact with financial accounts. Before use, inspect the embedded package and package.json, avoid running npm install scripts blindly, require explicit confirmation for every trade, withdrawal, staking action, gas top-up, and credential-cache deletion, and use a wallet/account with limited funds and permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill gives strict user-facing instructions to avoid step-by-step reauthentication guidance, but elsewhere instructs the agent to run reauth flows and clear credential caches automatically. This inconsistency can cause the agent to conceal impactful auth-handling behavior from the user while still performing it, reducing transparency around security-sensitive actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer executes external commands (`tar -xzf` and `npm install`) on an embedded opaque archive without validating its contents. Running `npm install` can execute arbitrary lifecycle scripts from the packaged `package.json`, turning installation into code execution on the analyst or user system.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer executes `npm install` on an extracted, opaque package archive. `npm install` can run dependency lifecycle scripts such as `preinstall`, `install`, and `postinstall`, which gives arbitrary code execution to whatever is inside the bundled package and its dependency tree. Because the payload is base64-embedded and not reviewed here, this materially increases risk beyond simple file extraction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes trading, staking, and withdrawal actions through natural-language prompts without clearly warning users that these operations can move funds irreversibly, incur losses, or trigger unintended transactions. In a bot-integrated financial skill, this omission increases the chance that users treat high-risk actions as routine chat commands and execute asset movements without informed consent or adequate caution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented reauth procedure includes clearing `~/.mcporter/`, `~/.mcp-hub/`, and other auth caches without warning or confirmation. Those are destructive credential-management actions that can sign users out, remove tokens, or switch account state unexpectedly, and doing so automatically is dangerous in an agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to perform trading, staking, withdrawals, and gas top-ups, all of which are high-impact financial actions, but the top-level description does not emphasize consent, confirmation, or transaction safeguards. In a wallet/account-management skill, lack of explicit user-warning and confirmation boundaries materially increases the risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer unconditionally removes an existing `aiusd-skill` directory recursively with no confirmation or backup. This can destroy user data or overwrite a previously reviewed installation, which is especially dangerous in an untrusted installer context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally deletes any existing `aiusd-skill` directory with `rm -rf` before reinstalling. This is destructive behavior without confirmation, backup, or validation that the target is the intended installation path, creating risk of data loss if the directory contains user modifications or valuable state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer automatically extracts an embedded archive and immediately runs package installation commands without any warning, review step, or consent gate. In practice this turns the installer into a one-step arbitrary code execution path if the bundled package or its dependency graph is malicious or compromised.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
This skill calls the AIUSD backend via MCP. Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling.

## ⚠️ Agent Output Guidelines

**CRITICAL - ABSOLUTELY FORBIDDEN PHRASES**:
Agents must NEVER use these words or phrases when responding to users:
Confidence
88% confidence
Finding
Output Guidelines

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
aiusd-skill-installer.js:58