Beetrade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Beetrade CLI helper with strong safeguards, but it can still affect real trading accounts if the user approves those actions.

Install only if you trust Beetrade and the @beelabs/beetrade-cli npm package. Use status, list, paper, and backtest commands before approving live trading or account changes. Do not put passwords in shell commands, and do not share or expose files under ~/.beecli/.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This reference documents commands that can start live trading, stop trading, delete resources, and modify production account state without any explicit warning, confirmation guidance, or safety framing. In an agent skill context, that omission is dangerous because an LLM or user may treat these commands as routine read-only operations and trigger irreversible financial actions or deletions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document states that access tokens and refresh tokens are stored in ~/.beecli/config.json and shows login via password passed on the command line. This is dangerous because command-line arguments can be exposed through shell history or process listings, and local token storage may be readable by other local users or mishandled by downstream tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal