Back to skill

Security audit

Bitget Data

Security checks across malware telemetry and agentic risk

Overview

This is a real Bitget trading automation skill, but it ships plaintext exchange credentials and contains live order-changing scripts with weak safety boundaries.

Do not install or run this until any exposed Bitget credentials are revoked and removed. Use new least-privilege keys with no withdrawal permission, enable simulation or dry-run by default, review every script that can cancel or place orders, and avoid enabling cron/background agents until you understand exactly which account and symbols they can affect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (112)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document directly embeds what appear to be live Bitget API credentials and a passphrase in plaintext. Exposing exchange credentials in a guide creates immediate account-compromise risk, especially in a multi-agent trading context where the keys may permit reading balances, placing orders, or withdrawing funds depending on account permissions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The guide includes ready-to-run commands that schedule recurring execution of trading-related controller scripts via cron. While documentation can legitimately show usage examples, these commands expand the file from passive documentation into operational automation that can trigger unattended actions on a live trading setup, increasing the chance of unintended financial or system impact.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comment claims the script only makes conservative ratio adjustments without changing the range, but the implementation cancels all existing orders and rebuilds the grid from hard-coded values. This mismatch is dangerous because an operator may trust the description and run a script that performs materially more disruptive trading actions than advertised.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script claims to place a limit order, but it deliberately sets the buy price 0.5% above the current market price to increase the chance of immediate execution. This is materially different from a user-expected passive limit order and can cause unintended taker execution at a worse price, especially in volatile markets.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script loads live Bitget API credentials from environment variables and immediately enables authenticated exchange operations without any visible scoping, permission checks, or documented business need. In an unknown skill context, granting account-level trading access is dangerous because it exposes sensitive credentials and enables financially impactful actions if the script is invoked unexpectedly or repurposed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code enumerates open BTC orders, cancels them in bulk, then queries balances, which constitutes destructive financial account manipulation. Because no trusted skill purpose is provided, this behavior is unjustified and could disrupt trading strategies, force missed fills, or be abused to interfere with a user's market activity.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script establishes a hard-coded HTTP CONNECT tunnel to a local proxy and then disables TLS certificate verification with rejectUnauthorized: false while sending API authentication headers. This creates a serious man-in-the-middle risk: any process controlling the local proxy or intercepting the connection can capture the API key, passphrase, and signed requests, potentially enabling unauthorized trading actions or account abuse.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script operates on a hard-coded list of multiple symbols, which broadens the blast radius of a single execution and can cancel orders the operator did not intend to affect. In a trading context, this can cause unintended loss of strategy state or market exposure reduction across several assets with no per-symbol confirmation.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code explicitly sets `rejectUnauthorized: false` on the HTTPS request while tunneling through a local proxy, which disables TLS certificate validation. That allows a malicious or compromised local proxy, network attacker, or hostile local service on `127.0.0.1:7897` to intercept Bitget API traffic, observe authenticated requests, and tamper with responses despite HTTPS being used.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script states that sell orders will be created automatically after buy orders fill, but there is no watcher, scheduler, or event-driven logic to do that after the script exits. In a trading automation context, this can leave filled buy orders unmanaged, causing unintended inventory exposure and financial loss if the market moves without corresponding exit orders being placed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script prints claims that automatic monitoring and daily reporting are active, but no such functionality exists in the file. This can mislead an operator into believing ongoing safeguards or oversight are in place after a risky trading operation, reducing the chance they notice failures, stale orders, or unexpected market exposure.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file presents itself as requiring manual deployment, but it also includes complete, callable logic to authenticate to the exchange, cancel existing orders, and place new live orders. This mismatch is dangerous because a maintainer or downstream agent could easily invoke the existing functions or slightly modify main(), leading to unintended live trading actions despite the safety-oriented messaging.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script prints operational claims that automatic monitoring is running every 30 minutes and that daily reports will be generated at 21:00, but no such scheduler, daemon, or recurring task exists in the code. This can mislead operators into believing ongoing safeguards and reporting are active when the script only performs a one-time deployment, increasing the chance that failed orders, drift, or risky positions go unnoticed.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script claims to use only Bitget public APIs for analysis, but later generates `apply-dynamic-grid.js`, which reads private credentials from `config.json`, signs authenticated requests, cancels pending orders, and places live trades. This mismatch is dangerous because a user may run what appears to be a read-only analysis tool and unknowingly enable a workflow that performs account-changing operations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file includes capability beyond local analysis by writing out a second script that performs authenticated trading operations against a real exchange. In the absence of a clear manifest or declared purpose, embedding order-management logic inside an analysis tool expands its authority unexpectedly and increases the chance of misuse or accidental execution.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file presents itself as an RSI analysis tool, but later generates a second script capable of cancelling live exchange orders and placing new ones. That mismatch between stated purpose and actual capability is dangerous because a user may run an apparently analytical skill without realizing it prepares executable trading automation that can affect real funds.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The generated deployment script contains live-trading functions that enumerate pending orders, cancel them, and submit new limit orders against a real exchange API. Embedding this capability in a tool whose primary visible role is analysis materially increases the chance of unintended financial actions, especially if users trust it as read-only or advisory.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script loads API credentials from a local config file and uses them to generate authenticated requests to a live exchange. In this skill context, those credentials enable account-level trading actions, so compromise, misuse, or accidental execution can directly affect real assets even if the code appears intended for legitimate automation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code exposes direct asset-modifying capability by canceling all open orders and placing new exchange orders. In a trading skill with no approval gate, guardrails, or manifest justification, this is highly dangerous because any invocation can immediately alter live positions and strategy execution across the account.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script is presented as an analysis/optimization tool, but it also generates a helper script that will overwrite trading configuration state. In a trading context, modifying config files can materially change automated behavior and financial exposure, so this hidden state-changing side effect is security-relevant even if no code execution or credential theft is present.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This configuration file contains what appear to be live Bitget API credentials, a passphrase, and a Feishu chat identifier embedded directly in plaintext. In a multi-agent trading context, exposing these secrets is highly dangerous because any agent, plugin, log sink, repository reader, or attacker who gains access to the file could use them to access the exchange account, place trades, exfiltrate data, or abuse notification channels.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as 'strategy optimization' but immediately proceeds to query balances and place exchange sell orders. That mismatch is risky because a user may expect analysis or recommendations, not trading actions, and could unintentionally authorize asset sales in either simulation or live mode depending on environment configuration.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code claims to perform quantitative market analysis but generates fake K-line history with Math.random() instead of fetching real historical candles. In a trading tool, this can directly mislead users into acting on fabricated indicators, producing unsafe or financially harmful decisions while appearing legitimate.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads local exchange credentials from config.json, signs authenticated requests, and queries private account endpoints such as balances and unfilled orders. Even though it appears intended as a reporting tool, embedding credentialed exchange access in a skill without clear purpose limitation, consent flow, or safeguards increases the risk of unauthorized account access and exposure of sensitive financial data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script prints assurances that automated monitoring and daily reporting are active, but no such scheduling, monitoring loop, or reporting logic exists in this file. This can mislead an operator into believing ongoing safeguards are in place after a risky trading action, increasing the chance that failed deployments or market exposure go unnoticed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bitget-cli.js:89

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
quick-start.js:112

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
setup-cron.js:28

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
cancel-all-orders.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
check-balance.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-avax-matic.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-btc-grid.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-eth-xrp.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-eth.js:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-grids.js:11

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-simple.js:11

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
start-sol.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
test-api-debug.js:10

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
analyze-coins.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apply-scheme-a-final.js:16

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
cancel-all-btc.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
cancel-all.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
check-prices.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
debug-orders.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
optimize-strategy.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
rebalance.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
stop-btc-grid.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test-eth-grid.js:14

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
use-sdk.js:17

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
analyze-strategy.js:66

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
cancel-all-orders.js:73

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
check-balance.js:65

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
optimize-grids.js:73

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
start-eth-xrp.js:71

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
start-grids.js:78

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
test-grid-api.js:65