cTrader Commander

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about trading use, but it gives broad no-token access to a credentialed trading proxy without clear safety controls.

Install only if you are comfortable letting an agent reach a local proxy that can act on your cTrader account. Use a demo or restricted account first, review and pin the external proxy code, keep the proxy bound to trusted local access only, stop it when not supervised, and require your own manual confirmation before any order, close, cancel, account switch, or generic command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest presents a bounded trading/account-management skill, but the documentation additionally exposes a generic command passthrough that can invoke arbitrary cTrader API commands via the credential-backed local proxy. This materially expands capability beyond the declared scope and enables unintended or dangerous operations, especially because no credentials are required at call time and commands execute under the server's configured account.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes an account-switching endpoint even though the manifest describes ordinary order placement, quotes, candles, and balance queries. This creates an undeclared privilege expansion: a caller may change the active account and then perform trades or queries against a different account than the user intended.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented generic `GET /get-data?command=...` endpoint exposes capabilities beyond the stated skill scope, including trade-closing and order-cancellation actions that are omitted from the manifest-facing description. This creates a dangerous mismatch where downstream systems or users may treat the skill as lower risk than it really is, enabling unauthorized destructive trading actions through an undocumented path.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: A generic passthrough that accepts arbitrary cTrader commands substantially expands the reachable attack surface from a narrow trading helper into broad account and trading API access. Because no caller token is required and server-side credentials are implicitly reused, any agent able to reach this local proxy could invoke sensitive account, order, and position operations not justified by the declared skill purpose.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: Documenting `ProtoOAGetAccountListByAccessTokenReq` exposes the ability to enumerate all accounts tied to the server-side token, which exceeds the described skill capabilities and reveals additional account scope to callers. In an agent setting, this can facilitate account discovery, unintended account switching, and follow-on unauthorized trading against accounts the user did not intend to expose.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Exposing `ClosePosition` and `CancelOrder` without reflecting them in the manifest hides destructive trading capabilities from users and any policy layer relying on the declared skill scope. In this context, the omission is especially dangerous because the skill can act on live brokerage accounts using server-side credentials, so an agent could unwind positions or cancel protection orders unexpectedly.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The invocation guidance is broad enough to trigger on common trading-related requests without clear safety constraints, despite the skill being able to place and manage real orders through a live credential-backed proxy. In this context, ambiguous routing increases the risk of accidental execution of high-impact financial actions.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documentation provides direct procedures for placing, modifying, and closing trades without an explicit warning that these may affect a real funded account. Because the proxy uses server-side credentials automatically, a user or agent may initiate irreversible financial actions without appreciating that they are live rather than simulated.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that credentials live in a local .env and are never passed by callers, but it does not warn that any caller with local access to the skill may exercise those credentials indirectly via the proxy. This can expose account data and enable unauthorized use of sensitive, credential-backed trading functionality.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation presents live trading, account switching, position closing, and order cancellation as ordinary API calls without any warning that they have immediate real-money consequences. In an agentic environment, lack of explicit safety language and confirmation expectations materially increases the chance of accidental destructive execution, especially since no caller-side credential is required.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal