Security audit

BotSpot Trading

Security checks across malware telemetry and agentic risk

Overview

This trading skill is coherent, but it can lead to live broker-connected trading without enough documented confirmation, limits, or stop controls.

Review carefully before installing. Use paper trading or a limited account first, inspect generated strategy code and backtest results, set strict broker-side risk limits, require explicit confirmation before live deployment, and verify how to stop bots and revoke BotSpot or broker OAuth access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly promotes live deployment to real brokers and says users can 'deploy live' without pairing that capability with a clear, upfront warning that this can place real-money trades and cause financial loss. In a finance/trading context, ambiguity around live execution is dangerous because users may treat deployment as a harmless test step rather than authorization for real market activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal