Back to skill

Security audit

Nofa Backtest

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a legitimate crypto backtesting API guide, but it needs review because it mixes credential use, remote execution, inconsistent API domains, and optional payment-signing flows without clear consent boundaries.

Install only if you trust NOFA/Reclaw with your generated trading strategies and API key. Require explicit approval before registration, before any backtest or dry-run API call, and especially before x402 payment use. Do not put a real XRPL wallet seed into prompts, logs, agent memory, or examples, and treat the api-dev versus api-staging mismatch as something the publisher should clarify before credentials are used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill gives a strict instruction that API keys must only be sent to `api-dev.reclaw.xyz`, but later provides examples that attach the same bearer token to `api-staging.reclaw.xyz`. This inconsistency can train an agent to ignore origin restrictions and disclose credentials to a different domain/environment than the one explicitly declared safe.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document expands a strategy-construction skill into an instruction to perform a network-side backtest API call, changing the skill from local content generation into external action. That creates a scope-escalation risk: an agent may transmit user-derived strategy data and trigger backend processing without a clearly separated execution step, approval gate, or least-privilege boundary.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation criteria include broad phrases like creating a strategy or making a trade with conditions, which can cause the skill to trigger in conversations that do not actually intend NOFA-specific strategy generation. Overbroad triggering increases the chance of unintended mode switching, auto-filling defaults, and eventual downstream API actions based on incomplete or misinterpreted user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to call the backtest API after generating JSON but does not require a user-facing consent or disclosure step before transmitting data. This is dangerous because user inputs, generated strategies, and chosen parameters may be sent to an external service without clear authorization, violating user expectations and increasing privacy and autonomy risks.

Vague Triggers

Low
Confidence
88% confidence
Finding
The manifest exposes a broadly described trading/backtesting skill without clear activation boundaries, allowed contexts, or constraints on when an agent should invoke it. In agent ecosystems, vague capability descriptions can cause overbroad or unintended invocation for sensitive financial actions, increasing the chance of accidental credential creation, remote requests, or trading-related operations without sufficient user intent verification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest states that agents can self-register publicly and immediately receive a bearer API key, but it does not include a prominent warning about credential issuance, storage sensitivity, or that user/strategy data will be transmitted to a remote third-party API. In a trading-related context, this is more dangerous because agents may create accounts and send potentially sensitive financial strategies or session data off-platform without clear user awareness or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal