Back to skill

Security audit

Avantis Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Avantis trading skill, but it handles wallet private keys and live leveraged trades in unsafe, under-scoped ways that could put funds at risk.

Install only for a dedicated low-value trading wallet, never a primary wallet. Treat any bundled hardcoded private keys as compromised, avoid plaintext private-key files, and manually review wallet, collateral, leverage, approval amount, slippage, TP/SL, and close details before allowing any transaction to be broadcast.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill’s declared purpose is trading, but the documented behavior includes sensitive credential handling and wallet/allowance operations that materially expand its risk profile. In a skill with direct wallet integration and leveraged trading, undisclosed secret access and token approval behavior can expose funds or authorize unintended on-chain actions if users invoke it without understanding those side effects.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script's stated purpose is only to view positions, but it loads a raw private key from a local wallet file and configures a local signer anyway. This unnecessarily exposes a signing credential in a read-only workflow, increasing the blast radius if the script is modified, logs are captured, the dependency stack is compromised, or the host is shared.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly instructs users to place a raw wallet private key into a plaintext file, which creates a high risk of credential theft from local compromise, backups, logs, shell history, or accidental repository inclusion. In the context of a leverage-trading skill with direct wallet integration, compromise of that key can immediately lead to theft of funds, unauthorized trades, and liquidation risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description is broad enough that an agent may invoke the skill for generic market or trading requests without the user realizing it can place leveraged trades using a configured wallet. In this context, unintended activation is more dangerous because actions are financial, on-chain, and potentially irreversible.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation exposes the filesystem location of a private key tied to the main trading wallet without any warning or protective guidance. Revealing where secrets are stored lowers the barrier for credential theft by any local process, user, or adjacent skill that can access the host, and here compromise would directly enable unauthorized leveraged trading or fund movement.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start provides copy-pasteable commands to open and close leveraged positions but does not clearly warn that these commands execute real trades against a live wallet and can cause immediate financial loss. In a wallet-integrated trading skill, omission of an explicit live-trading warning materially increases the chance of accidental execution by users who may assume they are in a demo or dry-run workflow.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The document discloses a specific wallet address along with balance, gas availability, and approval status, which exposes operational details about a funded trading wallet. While blockchain addresses are public, consolidating this information in documentation aids targeting, profiling, and social-engineering against the operator and can encourage unsafe reuse of a live wallet in examples.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script hardcodes a blockchain private key and immediately uses it to configure a local signer. Embedding a live wallet credential in source code is a severe secret-management failure: anyone with file or repository access can extract the key, impersonate the wallet owner, and execute irreversible on-chain actions including leveraged trades and fund transfers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script directly reads a private key from a fixed local wallet file and immediately uses it to authorize on-chain transactions, without any user confirmation, disclosure, or safer secret-handling controls. In the context of a trading skill that can close leveraged positions on mainnet, this creates a significant risk of unintended fund movement if the script is invoked by another component, run in the wrong environment, or the file is exposed to other local users/processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads a sensitive private key from a local wallet file without warning, consent, or any indication to the user that a credential will be accessed. In an agent skill context, this is especially risky because users may invoke a seemingly harmless 'view positions' utility without realizing it touches wallet secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script directly reads a private key from a fixed local file path and immediately uses it for transaction signing, creating a dangerous secret-handling pattern. In an agent skill context, this is especially risky because invoking the skill can silently access a real wallet and authorize financial actions without making key usage explicit to the user.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script automatically performs token approval and submits a leveraged market trade with no interactive confirmation before irreversible on-chain actions. In this skill's context, which is explicitly designed for real leveraged trading with direct wallet integration, silent execution greatly increases the chance of unauthorized or accidental fund loss, amplified by leverage up to 100x.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly discloses the location of a private key file for the main wallet, which is sensitive operational security information. In a wallet-integrated leverage trading skill, this is especially dangerous because anyone who gains local access or can influence other tooling now knows exactly where to look for the credential that controls real funds and trading authority.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.