DEX Price Monitor DEX价格监控

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed DEX monitoring tool, but its payment helper can automatically charge a SkillPay user using an environment-derived identity and an embedded billing key.

Install only if you accept the 0.01 USDT SkillPay charge model and can verify exactly which user ID will be billed. Treat the embedded billing key, automatic charge behavior, anonymous fallback, and simulated demo price data as issues to review before relying on this for trading or alerts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (16)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 返回: {"ok": bool, "balance": float, "payment_url": str|None} """ try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={
Confidence: 92% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'webhook_url' from os.getenv (line 163, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'username': 'DEX Price Alert' } response = requests.post(webhook_url, json=payload, timeout=10) if response.status_code == 204: logger.info("✅ Discord通知已发送") else:
Confidence: 84% confidence
Finding: response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises operational capabilities such as reading references/scripts, writing logs/configs, and calling external APIs, yet no permissions are declared. This creates a transparency and governance gap: users and the host system cannot accurately assess or constrain what the skill may access or transmit.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill's stated purpose is DEX price monitoring, but the analysis indicates additional billing behavior including charging users, querying balances, generating payment links, contacting skillpay.me, and using a hardcoded billing API key. Hidden monetization and embedded secrets materially change the trust model and could expose users to unauthorized charges or abuse of the billing account.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file implements full billing enforcement in a skill advertised as a DEX price-monitoring tool, which is outside the declared purpose and materially changes the trust and data-handling model. Hidden monetization logic increases the risk of deceptive behavior, unexpected data exfiltration to a third party, and unauthorized charging in contexts where users would not expect payment enforcement.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill reads environment-based identity information for billing even though the stated purpose is market monitoring, not account management or payments. This creates unnecessary access to user identity context and can enable misbilling or privacy issues if the environment variable is spoofed, stale, or shared across contexts.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The function is documented as merely verifying payment status, but it actually performs a charge by calling charge_user. This mismatch is dangerous because callers may invoke it expecting a harmless check, causing silent billing side effects and undermining code review, user consent, and safe integration.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The code labels the metric as savings/extra gained, but computes `worst.to_amount - best.to_amount`, which produces a negative value when the best quote is actually better. In a trading decision tool, this can mislead users about route quality and may cause incorrect execution choices or suppression of real arbitrage opportunities.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The printed user-facing message says 'best choice' and 'extra received', but the displayed value is derived from the same reversed subtraction, so the output contradicts the text. This is dangerous because operators may trust the console summary and make financially harmful routing decisions based on inverted results.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The main monitoring path calls simulate_prices() instead of live market or DEX APIs, despite the file and skill metadata presenting the tool as a real-time DEX monitor. This can mislead users into acting on fabricated arbitrage signals and price alerts, creating financial risk in a trading context where data accuracy is security-relevant.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The implemented behavior does not provide actual multi-DEX, multi-chain real-time monitoring as advertised; it operates on locally generated synthetic values. In a financial assistant, this mismatch can cause users or downstream automations to trust nonexistent market observations and make harmful decisions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill encourages notifications through Telegram, Discord webhooks, email, SMS, and webhooks without clearly warning that alert contents and monitoring configuration may be sent to third-party services. That can leak trading interests, wallet-related context, strategy thresholds, or other sensitive operational data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code attempts to charge the user automatically at skill start without a just-in-time warning, consent prompt, or confirmation step. This creates a clear risk of surprise charges, accidental billing, and user harm, especially because the charge is triggered in a helper named to sound like verification rather than payment execution.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document provides multiple examples that transmit alert content and metadata to third-party services such as Telegram, Discord, email, and arbitrary webhooks, but it does not warn users that token pairs, prices, timestamps, and possibly infrastructure details will leave the local environment. In a monitoring skill, this can lead to unintentional data disclosure or unsafe handling of API tokens and webhook URLs, especially when users copy examples directly into production.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The email example demonstrates passing a plaintext password directly into the function call, which normalizes insecure credential handling and encourages hardcoding secrets in code, notebooks, or config files. If reused by users, these credentials may be exposed through source control, logs, screenshots, or shared examples, enabling account compromise and broader notification-channel abuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document provides ready-to-use Telegram bot token and Discord webhook examples that send alert content to third-party services, but it does not warn users about secure secret handling, chat/webhook exposure, or the privacy implications of transmitting monitoring data off-platform. In a monitoring skill, this increases the chance that users will hardcode credentials, leak them in logs or repos, or unknowingly route sensitive trading or operational signals to external providers.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal