Back to skill

Security audit

Kraken OpenAPI Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is documented as public Kraken market data, but it also ships a separate schema containing private account and live trading operations.

Review before installing, especially if your agent environment can access Kraken API credentials. The documented public market-data workflow is coherent, but the extra private/trading schema should be removed, split into a clearly named trading skill, or guarded with explicit user confirmation and least-privilege credential guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The schema claims a market/public API focus, but it also exposes private endpoints for balances, open orders, open positions, and trading actions. This creates a scope mismatch that can mislead downstream agents or users into invoking sensitive authenticated operations they did not expect, increasing the risk of unauthorized account access or fund-impacting actions when credentials are available.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The OpenAPI file includes order placement and cancellation operations even though the skill is described as market-first/public. In an agent setting, these are high-risk side-effecting actions: if the agent obtains credentials or is prompted ambiguously, it could place or cancel real trades, causing direct financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Destructive financial operations are defined without embedded warning/confirmation guidance, such as requiring explicit acknowledgement before live trading actions. In an autonomous or semi-autonomous agent workflow, the absence of these safeguards makes accidental or prompt-induced execution more likely, especially for market orders and cancellations that have immediate account consequences.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.