MoltMarkets Trading Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent with its trading-agent purpose, but it enables quiet recurring automation that can use stored credentials to trade, create markets, post comments, and resolve markets.

Install only if you are comfortable with an autonomous bot making real MoltMarkets account changes. Use a low-balance or test account, restrict the API key if possible, protect the credentials file, keep logs or notifications enabled, review each cron definition before adding it, and avoid enabling automatic resolution unless you accept the risk of incorrect or hard-to-reverse outcomes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill claims to provide a complete autonomous trading/creation/resolution system, but the file mainly gives setup instructions and defers critical behavior to referenced files and later manual steps. This mismatch is dangerous because users may trust that risk controls, cron behavior, and trading logic are implemented when they are not, leading to unsafe deployment and unexpected external actions.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The resolution cron explicitly instructs the agent to read a local credentials file, which grants access to secrets not necessary for a passive reference document and expands the skill into privileged secret handling. In this context, those credentials are then used for authenticated external actions, so compromise or misuse could lead to unauthorized market resolutions and account abuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to place a live API key in a persistent local file without warning about file permissions, secret rotation, or avoiding accidental disclosure. This is dangerous because API keys for a trading platform can be exfiltrated from disk, committed to source control, or accessed by other local processes, enabling unauthorized trading or account actions.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill encourages unattended cron-driven trading, market creation, and resolution without prominently warning that these actions can spend user funds, alter market state, and trigger repeated external API interactions. In context, this is especially risky because the agent is framed as autonomous and aggressive, increasing the chance users enable high-impact automation without sufficient safeguards.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The creator cron directs the agent to create markets and silently update local ROI files with NO_REPLY output, which obscures both external state changes and persistent local modifications from the user. Hidden autonomous actions are risky because they can spend funds, alter trading state, and leave the operator unaware until after damage is done.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The resolution cron performs authenticated, irreversible external actions by resolving markets and silently updating ROI tracking without a clear warning to the operator. Because market resolution affects financial outcomes and cannot easily be undone, hidden automation materially increases the chance of account damage, incorrect resolutions, and disputes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script accesses a sensitive credential file in the user's home directory without any runtime disclosure or confirmation prompt, which can surprise users and normalize silent secret access. In an agent-skill context, this is more concerning because setup scripts may be run with high trust and users may not realize local secrets are being consumed automatically.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script transmits the API key in an outbound request to validate it, but does not clearly disclose that the secret will be sent over the network during setup. Although HTTPS is used and the destination appears related to the service, hidden outbound use of credentials is risky in a skill because users may execute it without understanding that authentication material will immediately leave the host.

Credential Access

High

Category: Privilege Escalation
Content: mkdir -p ~/.config/moltmarkets # Save your credentials (get API key from moltmarkets.com settings) cat > ~/.config/moltmarkets/credentials.json << 'EOF' { "api_key": "mm_your_api_key_here", "user_id": "your-user-uuid",
Confidence: 97% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: ### 1. Get MoltMarkets Credentials ```bash # Create config directory mkdir -p ~/.config/moltmarkets # Save your credentials (get API key from moltmarkets.com settings)
Confidence: 87% confidence
Finding: Create config directory mkdir -p ~/.config/moltmarkets # Save your credentials (get API key from moltmarkets.com settings) cat > ~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal