Go Trader

Security checks across malware telemetry and agentic risk

Overview

This is a plausible local crypto trading-bot controller, but it can affect a trading service without enough safeguards for real-money use.

Install only if you control the go-trader host and understand whether it is connected to live funds. Keep the bot in paper mode until you have external account limits, exchange permissions without withdrawals, and explicit approval steps for live trading, reset, start/restart, and emergency-stop actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill exposes destructive trading actions such as emergency stop and reset trading state with minimal warning and no stated confirmation or authorization requirements. In a natural-language control surface for a live trading bot, ambiguous or accidental invocation could halt positions, disrupt strategy state, or cause financial loss, making the context materially more dangerous than a read-only monitoring skill.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The emergency_stop action immediately stops the trading service with no confirmation, authorization check, or safety guard. In an agent or chat-triggered context, a mistaken invocation, prompt injection elsewhere in the workflow, or abuse by an unauthorized caller could cause an unnecessary denial of service against trading operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal