Back to skill

Security audit

PredictMe - AI Trading Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto prediction-market agent, but it needs Review because it encourages autonomous betting and plaintext API-key storage with limited approval controls.

Install only if you intentionally want an agent that can register with PredictMe, store an API key, and place autonomous crypto prediction-market bets using TEST/BONUS balances. Configure explicit approval, spend limits, stop-losses, and trading hours before enabling it, and store the API key in a secrets manager or locked-down file rather than a project directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill metadata declares no permissions, yet static analysis indicates network capability. That mismatch weakens transparency and reviewability, because users and platform operators cannot accurately assess what external communication the skill may perform. In a trading-related skill, undeclared network access is especially relevant because it could transmit data, fetch remote logic, or interact with third-party services without clear disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The stated purpose is short-term crypto market trading, but the analyzed behavior includes service worker installation, request interception, caching, offline fallbacks, and lifecycle handlers unrelated to the declared function. That discrepancy is dangerous because service workers can persist in the client, alter network behavior, and mediate future requests, creating a platform for stealthy content manipulation or data collection beyond the user's expectations. In this context, the mismatch makes the skill more suspicious, not less, because trading functionality does not inherently require broad offline caching and fetch interception.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The trading loop code places bets automatically and does not enforce the documented `requireApproval` owner-confirmation control before each financial action. In an agent setting, this can cause unauthorized or unintended trades, especially because the skill otherwise promotes autonomous operation and continuous execution.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The manifest enables autonomous betting and documents one-time API key retrieval, but it does not present strong, explicit warnings that bets can permanently consume the limited TEST/BONUS balance and that the returned API key is a sensitive bearer credential that must never be exposed. In an agent setting, unclear safety messaging increases the chance that a framework or user will mishandle the credential or allow trading without informed consent, leading to account takeover or unintended financial loss within the platform.

Vague Triggers

Low
Confidence
85% confidence
Finding
The skill provides registration, approval polling, and betting workflows but does not define clear invocation boundaries, user-consent requirements, or conditions under which an agent is allowed to register or place bets. In an autonomous-agent context, this can enable unintended account creation, excessive polling, or gambling-like actions without explicit authorization, even though the document appears informational rather than overtly malicious.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to automatically persist a one-time API key and agent identifier to local JSON storage, but provides only minimal protection guidance. If the file is readable by other users, included in backups, or committed accidentally, the credentials could be stolen and used to impersonate the agent or place trades.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides a full autonomous betting loop that continuously analyzes markets and submits trades, but the warning and approval requirements are not made prominent or enforced at the point of action. In a financial-risk context, normalizing unattended execution increases the chance of unauthorized spending, loss amplification, and operation outside the owner's intent.

External Transmission

Medium
Category
Data Exfiltration
Content
commentary = generate_trade_commentary(
                asset, best_grid, current_price, base_price, best_ev
            )
            result = requests.post(f"{BASE}/bet", headers=headers, json={
                "gridId": best_grid["gridId"],
                "amount": f"{bet_amount:.2f}",
                "balanceType": "TEST",
Confidence
94% confidence
Finding
requests.post(f"{BASE}/bet", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
owner_email = ask_owner("What email should I register with?")

# Step 2: Register via API
response = POST("https://api.predictme.me/api/v1/agent/register", {
    "email": owner_email,
    "agentName": "YourAgentName",       # Pick a memorable name
    "description": "AI trader using momentum strategy"  # Optional
Confidence
88% confidence
Finding
https://api.predictme.me/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 3: Poll for admin approval
# Owner can also check at: https://app.predictme.me/agents (Status Tracker)
while True:
    status = GET(f"https://api.predictme.me/api/v1/agent/status/{agent_id}")
    if status.data.status == "VERIFIED":
        api_key = status.data.apiKey   # ONE TIME — save immediately!
        save_credentials(agent_id, api_key)
Confidence
82% confidence
Finding
https://api.predictme.me/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skill.md:59