Cogdx Pre Trade Audit

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it combines external reasoning analysis, trading credentials, optional live trade execution, and an under-disclosed scheduled automaton.

Review before installing. Use dry-run first, do not set SIMMER_API_KEY unless you intend to delegate trading authority, disable or understand the managed 15-minute automaton, and avoid sending proprietary strategies or secrets in reasoning text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises network and environment-variable dependent behavior but does not declare corresponding permissions. That creates hidden capability surface: a caller may treat the skill as low-risk while it can still read secrets and contact external services, which is especially sensitive in a trading context. Because the undocumented capabilities support API-key use and remote calls, the omission undermines informed consent and safe sandboxing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is reasoning verification, but the documentation indicates additional high-risk behaviors including actual trade execution, CLI trading operations, and wallet/payment header usage. This mismatch can cause users or orchestrators to invoke the skill under the assumption it is advisory-only when it can perform real external actions with financial consequences. In an agent ecosystem, capability understatement is dangerous because policy, approval, and sandbox decisions often rely on the declared description.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest frames the skill as a cognitive diagnostic layer, while the body text says it 'handles all the plumbing' including trade execution and safeguards. That discrepancy increases the chance that reviewers, users, or automated policy systems underestimate the operational power of the skill. In a financial workflow, hidden execution capability materially raises risk because mistaken invocation can trigger market actions rather than mere analysis.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Trade execution is not necessary to fulfill the core purpose of evaluating reasoning quality, so bundling it into the same skill violates least functionality. Combining diagnosis and execution reduces reviewability and increases blast radius: any misuse, prompt confusion, or integration mistake can move directly from analysis to financial action. The trading context makes this more dangerous than a typical auxiliary feature because even a single unintended live order can cause monetary loss.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is presented as a cognitive audit layer, but it also contains code to execute real trades when live=True. That creates a capability mismatch: a user may invoke what appears to be an analysis-only tool and inadvertently authorize market actions, especially in agentic workflows where the skill may be selected automatically.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The module initializes a trading client and embeds trading metadata despite the stated purpose being cognitive diagnostics. In an agent ecosystem, bundling execution primitives into an analysis skill expands the blast radius of misuse and makes privilege boundaries unclear.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation mentions optional live trade execution but does not provide a clear, prominent warning that this can place real-money or real-order transactions. Users may interpret the feature as a harmless simulation or overlook that changing a flag could trigger irreversible financial activity. In a market-trading setting, insufficient warning around live execution creates a significant risk of accidental orders and monetary loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code transmits the full reasoning trace to an external service without an inline warning or explicit consent mechanism at the point of transmission. Trade reasoning may contain proprietary strategies, internal prompts, or sensitive context, so silent exfiltration to a third party creates confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal