Back to skill

Security audit

KuCoin OpenAPI Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears limited to read-only public KuCoin market data through UXC and does not request trading credentials or account access.

Install this if you are comfortable letting an agent use `uxc` for KuCoin public market-data reads. No KuCoin API key or trading authority is requested; for stricter supply-chain control, prefer the bundled schema or pin the raw GitHub schema to a trusted commit before linking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a mismatch because the declared purpose says the skill operates KuCoin public market APIs through UXC, implying API interaction functionality. The actual code shown does not interact with KuCoin or UXC at runtime; it only validates that certain files exist and contain expected strings and schema elements. Its primary purpose is build/repo validation, not operating exchange APIs. There are no hidden external accesses beyond local file inspection, but the core behavior materially differs from the description.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.