Security audit

Unified crypto market data API and scripts for exchanges, markets, tickers, OHLCV, and orderbooks

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Milaex market-data helper that uses an API key to make read-only crypto data requests.

Install this only if you trust Milaex and need read-only crypto market data. Use a revocable or limited API key if available, store it in the configured secret location rather than prompts or logs, leave MILAEX_BASE_URL unset unless you intentionally trust the replacement endpoint, and install Python dependencies from a trusted environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares access to environment variables, shell execution, and network use through its metadata and documented commands, but it does not declare explicit permissions. That creates a transparency and governance problem: a user or orchestrator may invoke a skill that can exfiltrate secrets or make outbound requests without a clear permission boundary, especially since it requires an API key and calls an external service.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.