Security audit

Crypto Algo Execution

Security checks across malware telemetry and agentic risk

Overview

The skill matches its crypto-trading purpose, but it needs review because an optional notification script can send order details to arbitrary webhooks or run a configured local command while live trading credentials may be present.

Review before installing. Use restricted QE and exchange API keys, disable withdrawals, apply IP allowlists where possible, and confirm every create/update/cancel parameter before execution. Avoid the command notification channel unless you fully control the environment and executable path, and only use webhook notifications to trusted destinations because they can receive order details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: notify_cmd = os.environ.get("NOTIFY_COMMAND") if not notify_cmd: raise ValueError("NOTIFY_COMMAND not set for command channel") proc = subprocess.run([notify_cmd, target, message], capture_output=True, text=True) if proc.returncode != 0: err = (proc.stderr or proc.stdout or "").strip() raise RuntimeError(f"command notify failed: {err}")
Confidence: 96% confidence
Finding: proc = subprocess.run([notify_cmd, target, message], capture_output=True, text=True)

Tainted flow: 'notify_cmd' from os.environ.get (line 131, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: notify_cmd = os.environ.get("NOTIFY_COMMAND") if not notify_cmd: raise ValueError("NOTIFY_COMMAND not set for command channel") proc = subprocess.run([notify_cmd, target, message], capture_output=True, text=True) if proc.returncode != 0: err = (proc.stderr or proc.stdout or "").strip() raise RuntimeError(f"command notify failed: {err}")
Confidence: 98% confidence
Finding: proc = subprocess.run([notify_cmd, target, message], capture_output=True, text=True)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The documented purpose emphasizes trading workflows, but the broader behavior includes arbitrary webhook notifications, execution of an external command from `NOTIFY_COMMAND`, and subprocess-based polling. In a skill that holds high-privilege trading credentials, any undocumented command execution or outbound notification path materially increases risk because it can be abused for secret exfiltration, unauthorized data transmission, or unsafe local command execution.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: For an order-monitoring notification script, a generic command-execution backend is broader than necessary and meaningfully increases attack surface. In the context of a crypto execution skill, arbitrary external command execution is more dangerous because the runtime may hold API keys, account data, and network access to exchanges or internal systems.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This script performs a destructive trading action by canceling a master order immediately after parsing CLI arguments, with no interactive confirmation, dry-run mode, or secondary safeguard. In a crypto execution context, accidental invocation, wrong order IDs, or automation mistakes can directly disrupt execution strategy, create slippage or missed fills, and cause financial loss.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This script submits real exchange orders and may also cancel one leg as part of rollback, yet it provides no explicit confirmation prompt, dry-run safeguard, or prominent warning before executing trading actions. In a crypto execution skill, this is especially dangerous because a user or calling agent can trigger irreversible market activity, fees, slippage, or unintended exposure simply by invoking the script with valid parameters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal