Back to skill

Security audit

Bitagent Skill

Security checks across malware telemetry and agentic risk

Overview

The skill matches its BitAgent trading purpose, but it can use a stored wallet private key to submit real blockchain launches and trades without built-in confirmation safeguards.

Review carefully before installing. Use a dedicated low-balance wallet, start on testnet, keep PRIVATE_KEY out of shared configs, logs, and source control, verify the repository and npm dependencies, and require explicit human approval for every mainnet launch, buy, or sell because these actions can be irreversible and can lose funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to execute a CLI that uses both environment secrets and network access, but the skill file does not declare permissions or boundaries for those capabilities. That creates a transparency and control gap: an agent or platform may invoke code with wallet credentials and blockchain connectivity without explicit capability disclosure, increasing the risk of unintended secret use or external side effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises launch, buy, and sell operations for blockchain tokens without clearly warning that these actions can spend real funds, may be irreversible once submitted on-chain, and can expose users to slippage or loss. In a trading skill, omission of those warnings increases the chance that users or downstream agents trigger financially consequential actions without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place a wallet PRIVATE_KEY into skill configuration but does not prominently warn that this secret grants full wallet control and must be protected from logs, source control, and shared config files. Because this skill can sign token launch and trade transactions, mishandling the key could directly lead to wallet compromise and unauthorized asset movement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to perform token launches and buy/sell operations, which are financially sensitive and typically irreversible on-chain, but it does not require a clear user-facing warning or confirmation step before execution. In practice, this can lead to accidental trades, token launches, or loss of funds if a request is misinterpreted or parameters are wrong.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation requires a raw wallet private key in an environment variable but provides no user-facing warning about the sensitivity of that credential or the consequences of mishandling it. Because the skill also mandates executing a networked CLI, exposure or misuse of the key could enable unauthorized transactions and full compromise of wallet-controlled assets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically loads a private key from the environment, signs a SIWE message, and transmits the signed authentication material to a remote BitAgent API without any interactive disclosure or consent step. In a skill context, this is risky because invoking the skill can silently use wallet credentials and authenticate to an external service, which expands the trust boundary beyond local blockchain signing.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill executes buy/sell and launch flows that can submit irreversible on-chain transactions immediately after parsing CLI flags, with no confirmation prompt, no human approval gate, and only a hardcoded slippage setting. In this skill's context, that is especially dangerous because it directly handles token creation and trading, so a mistaken invocation, malformed input, or agent misuse can cause immediate financial loss.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"module": "index.ts",
  "type": "module",
  "devDependencies": {
    "@types/bun": "latest"
  },
  "peerDependencies": {
    "typescript": "^5"
Confidence
97% confidence
Finding
"@types/bun": "latest"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@types/bun": "latest"
  },
  "peerDependencies": {
    "typescript": "^5"
  },
  "dependencies": {
    "@bitagent/sdk": "^3.1.4",
Confidence
88% confidence
Finding
"typescript": "^5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"typescript": "^5"
  },
  "dependencies": {
    "@bitagent/sdk": "^3.1.4",
    "dotenv": "^17.2.3",
    "siwe": "^3.0.0",
    "viem": "^2.45.1"
Confidence
95% confidence
Finding
"@bitagent/sdk": "^3.1.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@bitagent/sdk": "^3.1.4",
    "dotenv": "^17.2.3",
    "siwe": "^3.0.0",
    "viem": "^2.45.1"
  }
Confidence
90% confidence
Finding
"dotenv": "^17.2.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@bitagent/sdk": "^3.1.4",
    "dotenv": "^17.2.3",
    "siwe": "^3.0.0",
    "viem": "^2.45.1"
  }
}
Confidence
94% confidence
Finding
"siwe": "^3.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@bitagent/sdk": "^3.1.4",
    "dotenv": "^17.2.3",
    "siwe": "^3.0.0",
    "viem": "^2.45.1"
  }
}
Confidence
96% confidence
Finding
"viem": "^2.45.1"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/index.ts:100

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:25