Crypto Auto Trader

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed crypto trading automation skill, but users should handle exchange credentials and live trading mode carefully.

Before installing, use paper or sandbox mode first, create exchange API keys with withdrawals disabled, restrict IPs if supported, set small position and loss limits, and only enable live trading when you understand the strategy and risks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quick-start flow instructs users to place exchange API credentials into a local config file and immediately launch an automated trading bot, but it does not provide basic security guidance such as using least-privilege API keys, disabling withdrawal permissions, storing secrets outside the repo, or testing in paper/sandbox mode first. In the context of a crypto auto-trading skill, this is especially dangerous because misuse or leakage of exchange credentials can directly lead to unauthorized trading losses and potentially account compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal