Back to skill

Security audit

AI News BNB Trader

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real trading bot, but live mode can automatically move wallet funds and some safeguards are under-scoped or misleading.

Review before installing. Use only a dedicated low-balance wallet, keep DRY_RUN=true until you have tested the full flow, verify RPC/news/1inch/token settings, and do not provide a main wallet private key. Treat live mode as capable of irreversible financial loss, and stop the running process directly rather than relying only on the panic command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises network access and environment-variable use but does not declare permissions, which weakens transparency and any permission-gating a host platform may rely on. In a trading skill that can access wallet credentials and external APIs, undeclared capabilities increase the chance of users or orchestration systems invoking it without understanding its real access requirements.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior omits or understates important security-relevant capabilities: local secret-file creation for encrypted keys, dependence on an external AI service, and discrepancies around WebSocket usage. For an automated trading bot, this mismatch can mislead users about where secrets go, what third parties receive data, and what code paths are actually active, creating unsafe deployment assumptions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The listed commands can alter wallet state on-chain or create sensitive material on disk, but the documentation does not clearly warn users before they run them. In this context, a user could unintentionally revoke approvals, trigger emergency state changes, or write encrypted key material to a local path with inadequate file-handling practices.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code loads a signing key directly from configuration or decrypts it locally and immediately uses it to create a live wallet capable of broadcasting transactions. In a trading bot that can execute on-chain swaps, handling private keys this way without an explicit user-consent flow, hardware wallet isolation, or prominent operational warning increases the chance of unintended fund exposure, misuse, or insecure deployment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bot can autonomously execute token swaps based on fetched news and model output, with no per-trade confirmation or interactive warning before funds are moved. In this skill's context, that is especially dangerous because untrusted or manipulated news inputs, model errors, or configuration mistakes can trigger real on-chain trades and irreversible losses despite some risk controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI collects the passphrase using a standard readline prompt, which echoes typed characters to the terminal. This can expose the passphrase to shoulder-surfing, screen recording, terminal logging, or shell/session capture, weakening protection of the encrypted private key. In a cryptocurrency trading bot context, compromise of the passphrase can enable recovery and misuse of a wallet key, making this more security-sensitive than a typical non-financial CLI.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.