Back to skill

Security audit

Boktoshi Bot Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed Boktoshi bot-trading skill, but it gives an agent access to trading and position-management endpoints if you provide an API key.

Install only if you intend to let an agent use Boktoshi/MechaTradeClub bot endpoints. Use the least-privileged MTC_API_KEY available, set explicit trade and position limits before use, avoid letting the agent act without confirmation for trades or closures, and rotate the key if it is ever exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly exposes live trading, position-closing, and reward-claiming endpoints but does not warn users that these actions can trigger real financial transactions or irreversible changes. In an agent setting, this omission increases the chance of unsafe automation, accidental trade execution, or unintended liquidation because a caller may treat the skill as routine API access rather than high-risk financial control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.