Back to skill

Security audit

Apex

Security checks across malware telemetry and agentic risk

Overview

This is an openly disclosed ApeX futures trading skill, but it needs Review because it can use live credentials to place or cancel real orders with limited built-in safeguards.

Install only if you intentionally want an agent-assisted tool with access to an ApeX perpetual futures account. Use testnet first, use restricted and revocable API credentials, keep the Omni seed private, and manually verify every symbol, side, size, environment, and cancel-all action before allowing execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script goes beyond passive market data retrieval and emits explicit trade recommendations such as entering LONG or SHORT positions. In the context of an ApeX trading skill that can place or execute trades, introducing undeclared advisory logic increases the chance that the broader skill could act on simplistic external signals without user awareness or appropriate controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code produces direct actionable advice ('Enter BTC LONG' / 'Enter ETH SHORT') from a very narrow heuristic based on recent price and volume changes. Because the surrounding skill is for perpetual futures trading, this advice could be mistaken for trusted strategy logic and lead users or automation to take leveraged positions on weak, unaudited signals.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented as a position-checking utility, but it also mutates local state by writing trading-state.json. In a trading skill, unexpected state changes can mislead operators and downstream automation that assumes the command is read-only, creating integrity and auditability risks even though it does not directly place trades.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The doc comment claims the script only checks positions and calculates P&L, but the implementation also persists account size, timestamps, and current positions to disk. This discrepancy is dangerous because users and higher-level agents may grant the script broader trust than intended, especially in a financial context where hidden persistence can affect future decisions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The Chinese trigger phrases are very broad generic expressions such as '报名活动' and '参加活动', which can match ordinary conversation and cause the trading skill to activate without clear ApeX-specific intent. In a skill that can submit reward enrollments and execute trading-related actions, overly broad triggers increase the risk of unintended invocation and downstream sensitive actions being prepared or performed in the wrong context.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
The skill defines language-specific trigger behavior for Chinese inputs without requiring explicit user opt-in or stronger contextual binding to the ApeX platform. This broadens the attack surface for accidental or adversarial activation, especially because the skill supports sensitive financial operations and a default enrollment action when no reward ID is provided.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script presents recommendation-style output without any disclaimer that it is heuristic, incomplete, and not suitable as financial advice. In a trading skill context, omission of such warnings materially increases the risk that users treat the output as endorsed guidance and make harmful leveraged trades.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script directly exposes live trading and cancellation commands that immediately place market/limit orders or cancel all orders using production credentials, with no confirmation prompt, dry-run mode, or explicit warning about financial consequences. In an agent-skill context, this is especially dangerous because a misunderstood user request, prompt injection, or automation mistake can trigger irreversible trades or order cancellations on a real account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes sensitive trading account state to a local JSON file without explicit disclosure or opt-in. In the context of a trading skill, persisted positions and equity data can expose portfolio details to other local users, processes, backups, or later automation, increasing confidentiality and integrity risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.