Back to skill

Security audit

Elfa AI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Elfa API/trading helper, but it enables live financial actions and automation with insufficiently clear user-facing safeguards.

Review this skill carefully before installing. Only use it with accounts and API keys you are prepared to let an agent act on, prefer read-only or test credentials where possible, and require explicit human confirmation before any live trade, exchange-linking, cancellation, deletion, or recurring automation action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and instructs use of network and shell capabilities (`curl`, optional `python3`/`jq`) but does not declare explicit permissions. In an agent setting, this weakens governance and user visibility around what the skill can do, especially because it can reach external APIs and invoke shell commands that may trigger trades or mutate remote state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently supports live trade placement, automated trigger execution, recurring trade actions, and prediction-market actions without a clear upfront risk warning about irreversible financial consequences. In an agent workflow, this can cause users or downstream systems to authorize high-impact transactions without informed consent or guardrails.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This OpenAPI spec exposes direct trading endpoints that can place, close, modify, and cancel live orders, but the descriptions do not prominently warn that these are live, account-impacting, potentially irreversible financial actions. In an agent skill context, weak warning language materially increases the risk of accidental execution, unsafe automation, or user misunderstanding, especially because the broader skill advertises autonomous workflows and trading.

External Transmission

Medium
Category
Data Exfiltration
Content
SIGNATURE=$(echo -n "${TIMESTAMP}POST/orders${BODY}" | \
  openssl dgst -sha256 -hmac "${ELFA_HMAC_SECRET}" -hex | awk '{print $2}')

curl -sS -X POST https://api.elfa.ai/v2/trade/orders \
  -H "x-elfa-api-key: ${ELFA_API_KEY}" \
  -H "x-elfa-signature: ${SIGNATURE}" \
  -H "x-elfa-timestamp: ${TIMESTAMP}" \
Confidence
94% confidence
Finding
curl -sS -X POST https://api.elfa.ai/v2/trade/orders \ -H "x-elfa-api-key: ${ELFA_API_KEY}" \ -H "x-elfa-signature: ${SIGNATURE}" \ -H "x-elfa-timestamp: ${TIMESTAMP}" \ -H "x-correlation-id:

External Transmission

Medium
Category
Data Exfiltration
Content
SIGNATURE=$(echo -n "${TIMESTAMP}POST/orders${BODY}" | \
  openssl dgst -sha256 -hmac "${ELFA_HMAC_SECRET}" -hex | awk '{print $2}')

curl -sS -X POST https://api.elfa.ai/v2/trade/orders \
  -H "x-elfa-api-key: ${ELFA_API_KEY}" \
  -H "x-elfa-signature: ${SIGNATURE}" \
  -H "x-elfa-timestamp: ${TIMESTAMP}" \
Confidence
94% confidence
Finding
https://api.elfa.ai/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Why this matters for agents.** An agent that only ever sends `notify` / `telegram_bot` /
`webhook` actions can call `POST /v2/auto/queries`, `POST /v2/auto/queries/:id/cancel`,
`DELETE /v2/auto/queries/:id`, etc. with just `x-elfa-api-key` — no HMAC secret
provisioning required. Agents that need trade execution must still configure
`ELFA_HMAC_SECRET` for the trade-flavoured calls and for exchange linking.
Confidence
72% confidence
Finding
DELETE /v2/auto/queries/:id`,

Tool Parameter Abuse

High
Category
Tool Misuse
Content
/queries/drafts/*)            ;;  # GET/DELETE specific draft (no side effects)
      /queries/drafts)              HMAC_BEHAVIOR="conditional" ;;  # POST upsert depends on body action
      /queries/*/cancel)            HMAC_BEHAVIOR="conditional" ;;  # POST cancel depends on stored query action
      /queries/*)                   HMAC_BEHAVIOR="conditional" ;;  # DELETE /queries/:id (delete terminal query — only on triggered/expired/cancelled/failed)
      /queries)                     HMAC_BEHAVIOR="conditional" ;;  # POST create depends on body action
      /exchanges)                   HMAC_BEHAVIOR="required" ;;  # POST connect: trade gateway
      /exchanges/*)                 HMAC_BEHAVIOR="required" ;;  # DELETE disconnect: trade gateway
Confidence
71% confidence
Finding
DELETE /queries/:id

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.