Trading Tournament

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for autonomous trading, but it asks users to run unreviewed trading code with exchange credentials and restart automation.

Install only after inspecting the full trading code it tells you to run. Start in OKX demo mode, use restricted API keys with withdrawals disabled, set exchange-side limits, avoid sending sensitive trading details through Telegram, and do not enable the restart task until you have a clear monitoring and stop procedure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill advertises real-time Telegram alerts in the context of live trading but does not disclose what account, order, position, or market activity data may be sent to Telegram. Because Telegram is an external service, this omission can lead users to expose sensitive operational trading metadata without informed consent, increasing privacy, OPSEC, and account-targeting risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal