Back to skill

Security audit

Torch Liquidation Bot

Security checks across malware telemetry and agentic risk

Overview

The bot’s main liquidation behavior is openly described, but the bundle also exposes broader Torch trading, vault administration, and agent-facing trading guidance beyond a liquidation-only keeper.

Install only if you intend to run an autonomous Solana liquidation keeper and can isolate it to a disposable controller key linked to a vault with limited funds. Do not provide a vault authority key as SOLANA_PRIVATE_KEY, review the broader bundled SDK before letting an agent import it directly, and monitor/revoke the linked wallet if behavior differs from liquidation-only operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill explicitly requires environment variables and makes outbound network calls, yet it declares no permissions. That mismatch is a real security issue because hosts, users, or policy engines may assume the skill is less capable than it actually is, reducing transparency and weakening sandboxing or approval workflows. In this specific skill, the undeclared capabilities are especially relevant because it can access sensitive runtime configuration and continuously submit on-chain liquidation transactions over the network.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file is for a liquidation-only keeper skill, but large sections market and instruct broad Torch Market trading, vault usage, buying tokens, and general agent operation. This scope expansion can mislead an autonomous agent into invoking unrelated, value-moving behaviors outside the declared skill purpose, increasing the risk of unauthorized trading or misuse of funds.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The 'For Agents' section explicitly tells agents to create vaults, deposit SOL, and use a buy-token flow, which directly contradicts the liquidation bot’s stated purpose. In an agent skill, prescriptive instructions like these are dangerous because they can steer orchestration logic toward asset purchases rather than liquidation-only execution, causing unintended spend and strategy drift.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The document describes an SDK surface that includes broad trading, token creation, migration, rewards, and protocol-management capabilities far beyond the stated purpose of an autonomous liquidation keeper. For an agent skill, this is dangerous because it signals unnecessary authority and code paths that could be invoked intentionally or accidentally, increasing the blast radius from a liquidation-only bot into generalized market interaction and fund-moving behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documented support for sendBuy/sendDirectBuy means the underlying capability can create and submit discretionary market trades, which is outside the keeper's stated mandate. In an autonomous agent context, this materially increases risk because compromise, prompt injection, misconfiguration, or strategy bugs could convert a liquidation bot into a speculative trading bot using managed funds.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Token-creation capability is unrelated to liquidation keeping and introduces an unnecessary high-risk action surface. Even if intended as harmless SDK completeness, exposing mint creation in an autonomous operational bot enables misuse, accidental launches, spam issuance, or deceptive asset creation that is incompatible with the principle of least functionality.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Permissionless epoch advancement and protocol rewards claiming are outside the stated liquidation keeper scope and create extra fund-affecting behaviors. In a bot environment, these paths can be triggered by faulty logic or malicious input, causing operational drift, unintended economic actions, or abuse of the bot's signer and gas budget.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The implementation contradicts the safety claims in the comments: it exposes the live Keypair object and a generic signing function to any caller holding the returned agent. In a liquidation bot context, that key is authorized to operate a vault, so any untrusted plugin, dependency, log sink, or runtime compromise can immediately use or exfiltrate the private key and sign arbitrary vault operations during the process lifetime.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file introduces an external wallet-reputation lookup against SAID Protocol that is not necessary for an autonomous liquidation keeper. Even if the function is not directly harmful on its own, it enables outbound transmission of wallet addresses to a third party and expands the skill's scope beyond the declared liquidation-only purpose, creating privacy, supply-chain, and policy-risk concerns.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module performs wallet verification and classifies transactions as token launches or trades, which is inconsistent with the manifest describing a liquidation-only keeper. In a financial automation skill, hidden or unrelated capabilities are dangerous because they can be used for covert telemetry, behavior profiling, or future logic branching that operators do not expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code fetches arbitrary metadata URIs taken from on-chain token data and also contacts third-party services such as CoinGecko. In a liquidation bot context, this introduces unnecessary outbound network access, enabling SSRF-style requests to attacker-controlled endpoints, metadata-based tracking, denial-of-service via slow responses, and privacy leakage from infrastructure that should ideally only talk to Solana RPC.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The bundled IDL exposes a very large attack surface that materially exceeds the skill’s stated purpose of autonomous liquidation keeping. In addition to liquidation, it includes token launch, market migration, trading, rewards, vault funding, wallet linking, authority transfer, and withdrawal primitives, so any agent or wrapper using this SDK can be induced or misconfigured to perform high-risk actions unrelated to liquidation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including create_token and related market-launch functionality is incompatible with a liquidation bot’s declared role and enables asset issuance/launch behavior that could be abused for unauthorized token creation or market manipulation workflows. In an autonomous agent context, excess capabilities are dangerous because prompt injection, bad routing, or compromised orchestration can turn dormant functionality into active fund-moving behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Bundling buy, sell, and short-selling related instructions gives the skill discretionary trading capability far beyond liquidation execution. For a keeper that may control a vault and sign transactions, these methods could be abused to take speculative positions, churn funds, or manipulate exposure instead of performing narrowly scoped liquidations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
DEX migration and swap capabilities are unrelated to liquidation keeping and can move assets across venues, create pools, and exchange inventory, which substantially increases the potential blast radius of a compromised or misdirected agent. In the stated context, these functions make the skill more dangerous because a liquidation keeper should not need authority to migrate markets or perform general swaps.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Vault administration and withdrawal functionality is especially dangerous in a liquidation bot because the skill description says it operates through a Torch Vault and collects proceeds, meaning the agent likely has access to real assets. Instructions such as transfer_authority, link/unlink_wallet, withdraw_tokens, withdraw_vault, and other vault operations create direct pathways for fund exfiltration or persistence changes if the agent is compromised, tricked, or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The declared SDK surface is much broader than the stated purpose of a liquidation-only keeper, exposing capabilities for trading, token creation, vault admin, rewards, and shorting. In an autonomous agent context, this creates a material scope-mismatch risk: a compromised prompt, tool-selection bug, or malicious workflow could invoke powerful unrelated actions with real assets.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file exposes buy, direct-buy, sell, star, create-token, and migration transaction builders despite the skill being described as a liquidation bot. For an autonomous agent with signing access, these functions materially expand the blast radius from liquidation into speculative trading and token issuance, enabling unauthorized fund use or deceptive token-launch behavior if misused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The SDK includes create-vault, deposit, withdraw, link/unlink wallet, transfer-authority, and token-withdrawal operations that grant or move administrative control and assets. In a liquidation keeper context, these are especially dangerous because they can re-route custody, drain vault funds, or expand signer authority far beyond what is needed to liquidate positions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Beyond liquidation, the file supports borrowing, repaying, claiming rewards, reclaiming tokens, harvesting/selling fees, and opening/closing/liquidating shorts. In an autonomous keeper, this over-privileged access could be abused to speculate, manipulate protocol positions, extract treasury-related value, or trigger economically harmful actions inconsistent with the skill's stated mission.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file exposes a full-featured transaction SDK far beyond the declared purpose of an autonomous liquidation keeper, including trading, token creation, vault administration, migration, reward claiming, fee harvesting, and short-selling. In an agent-skill context, this materially expands the action surface available to the agent or an attacker who can steer it, enabling unauthorized or unintended financial operations inconsistent with least privilege.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Token creation is unrelated to a liquidation bot and gives the skill the ability to mint and launch new assets, which is a materially different and riskier privilege set. In an autonomous-agent setting, this can be abused to create deceptive tokens, trigger unwanted on-chain activity, or bypass operational expectations about what the skill is allowed to do.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file contains discretionary trading primitives such as buy, sell, direct wallet trading, and vault-routed DEX swaps, none of which are required for a liquidation keeper whose role is to identify and liquidate unhealthy positions. This creates a strong opportunity for agent misuse, prompt-injection-driven fund loss, or covert speculative trading using wallets or vaults under the skill's control.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Vault creation, deposit, withdrawal, wallet linking, authority transfer, and token withdrawal operations provide broad custody and fund-movement powers that exceed what a liquidation keeper should need. In this context, such primitives are especially dangerous because they let an agent reconfigure control paths or move assets, turning a liquidation bot into a general-purpose wallet admin tool.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Borrow, repay, short-selling, and short-liquidation features introduce leveraged trading and debt-management capabilities that are unrelated to the stated keeper purpose. For an autonomous liquidation bot, this dramatically increases the risk profile by enabling the agent to open exposure, rotate positions, or manipulate protocol state beyond simply liquidating underwater loans.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.