Security audit

Dca Signal

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and openly describes a paid trading-signal API, but it gives an agent a wallet private key for automatic per-call payments without enough user-control or wallet-safety guidance.

Install only if you are comfortable letting the agent make paid requests to apexrunner.ai. Use a dedicated low-balance wallet, not a main trading wallet, and confirm expected price and call frequency before running automated DCA workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to use an environment-sourced EVM private key to authenticate paid requests, but it does not prominently warn that this credential is highly sensitive and can authorize on-chain spending. In this context, the key is not just an API token: compromise, misuse, or accidental reuse of a trading wallet key could lead to wallet drainage or unintended paid transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal