MEXC OpenAPI Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MEXC Spot API skill, but its signed commands can affect a real exchange account.

Install only if you intend to let an agent interact with MEXC Spot. Use a dedicated least-privilege API key, disable withdrawals, enable trading only if needed, keep secrets in environment variables, review the schema source, and manually confirm every order or cancellation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The OpenAPI spec exposes live trading operations for creating and canceling orders without any explicit warning, confirmation requirement, or safety annotation that these actions affect a real exchange account. In an agent skill context, this increases the chance that a user or upstream agent invokes destructive financial actions unintentionally, especially because the same schema mixes harmless market-data endpoints with signed account/trading workflows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes concrete write examples that place and cancel live orders without any explicit warning that these commands affect a real trading account. In a trading skill, copy-pasteable examples can lead users to unintentionally execute financial transactions, especially when authenticated bindings are already configured earlier in the same document.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal