Back to skill

Security audit

Dawn

Security checks across malware telemetry and agentic risk

Overview

This Dawn skill is coherent for automated trading, but it gives agents live wallet-trading and background-strategy authority without enough explicit safety gates around real-money launches and sensitive context use.

Install only if you are comfortable with automated trading risk. Start in paper mode, review generated or downloaded Python strategy code and dependencies, use small budgets, protect DAWN_JWT_TOKEN and wallet access, and require a clear confirmation before any live launch, sell, redeem, or LLM-agent strategy that can trade or see portfolio data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill explicitly states that any pip dependency can be installed and later documents agent primitives that can invoke broad SDK tooling, which materially expands capability beyond a narrow trading-workflow reference. In an agentic environment, this increases the chance of arbitrary networked code, unreviewed dependency use, and privilege/capability creep that a user would not expect from the manifest description alone.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The Agent/run_agent section introduces persistent and one-shot external LLM access with broad tool integration, while noting that the user's own API key is used. That creates an undeclared path for sensitive market, portfolio, or strategy context to be sent to third-party model providers and enables autonomous decision-making beyond the stated local Dawn strategy workflow.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Labeling the research tools as 'read-only, safe to call any time' is misleading because the set includes functions like read_portfolio and user-trading/leaderboard activity that expose sensitive financial and behavioral data. Even if non-mutating, these calls are not universally safe from a privacy and least-privilege perspective, and the wording may cause downstream agents to invoke them without appropriate justification or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to export a JWT directly into an environment variable for headless use but provides no warning about secret handling, shell history, process inspection, CI log exposure, or secure secret storage. Because this skill is specifically for authentication to a trading platform, mishandling the token could let an attacker reuse the session and access account-linked operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents `--live` mode immediately after paper mode but does not place a prominent safety warning that live mode executes real-money trades from the selected wallet. In this context, the same section also documents sell/sell-all wallet-affecting actions, so a user or downstream agent could invoke destructive financial operations without adequate informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.