Crypto Auto Trader Strategy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a crypto auto-trading package, but it asks users to run an autonomous trading bot with exchange keys while leaving code provenance and credential controls under-specified.

Review carefully before installing or paying. Do not use exchange keys with withdrawal permission, restrict keys to the minimum trading permissions needed, use small limits, keep credentials out of git and shared folders, lock down file permissions, and inspect the actual source code before running any persistent trading process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill tells users to place exchange API keys in a local config.json file but provides no guidance on secure storage, least-privilege API scopes, file permission restrictions, or exclusion from version control. In a crypto auto-trading context, mishandled exchange credentials can directly enable unauthorized trading or fund loss if the file is exposed through logs, backups, repos, or shared deployment environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal