Phemex Cli

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Phemex trading helper, but it needs Review because it can make real financial account changes and recommends persistent local API-key storage.

Install only if you intentionally want agent-assisted Phemex trading. Use a dedicated least-privilege API key, disable withdrawals, restrict by IP if available, prefer testnet until verified, avoid persistent credential files on shared machines, and require explicit confirmation before every order, cancellation, leverage or position-mode change, and fund transfer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill description and invocation scope are very broad, covering nearly any Phemex or exchange-related action including read-only queries and high-risk trading operations. Overly broad routing can cause the agent to invoke a credentialed trading skill in situations where a safer, narrower tool or no tool should be used, increasing the chance of unintended financial actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup recommends storing API credentials in ~/.phemexrc in plaintext and presents it as the recommended path without warning about local exposure risks. Plaintext persistent secrets can be read by other local users, malware, backups, shell tooling, or accidental file disclosure, which is especially sensitive because these credentials authorize account access and trading actions.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Option 1: Config file (recommended) Create `~/.phemexrc` — credentials persist across sessions without exporting env vars: ```bash # ~/.phemexrc
Confidence: 94% confidence
Finding: Create `~/.phemexrc` — credentials persist across sessions without exporting env vars: ```bash # ~/.phemexrc PHEMEX_API_KEY=your-api-key PHEMEX_API_SECRET=your-api-secret PHEMEX_API_URL=https://api.p

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal