Back to skill

Security audit

VibeTrader

Security checks across malware telemetry and agentic risk

Overview

VibeTrader appears to be a real trading integration, but it gives an AI agent live trading and account-changing authority without clearly documented confirmations or risk controls.

Review carefully before installing. Use paper mode first, only provide a live-trading-capable key if you trust VibeTrader and have broker-side limits in place, and require explicit human confirmation before live orders, position closes, bot starts, or bot deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages real-money trading actions such as "Buy $500 of TSLA" and advertises "Live & Paper Trading" without any warning about financial risk, irreversible order execution, or the need for explicit confirmation before placing live trades. In a chat-driven agent context, this is dangerous because users may treat natural-language commands casually and may not realize they are triggering real financial transactions.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill explicitly supports switching to live trading and placing real-money orders, but the documentation does not provide prominent warnings, confirmation requirements, or safe-default guidance around irreversible financial actions. In an agent setting, ambiguous natural-language commands could lead to unintended live trades or losses, especially because the skill normalizes live trading as a routine mode switch.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example prompts include destructive or high-risk actions such as deleting bots, buying securities, and closing positions without surrounding cautionary language. In a natural-language agent context, examples strongly shape behavior, so presenting these actions without warnings or confirmation expectations increases the chance of accidental execution or unsafe user assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly advertises live trading capability but does not provide any warning, confirmation requirement, or safety language about real-money and potentially irreversible financial actions. In the context of an AI-powered natural-language trading skill, this increases the risk that users or upstream agents invoke live trading features without understanding the consequences, which can lead to immediate financial loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.