Back to skill

Security audit

PRISM OS SDK

Security checks across malware telemetry and agentic risk

Overview

The skill is presented as read-only market data, but its artifacts also include under-disclosed trading, order, webhook, wallet, and API-key administration capabilities.

Review this as a financial-operations SDK, not just a read-only data helper. Install only if you are comfortable giving it a PRISM API key that may reach admin and execution-related endpoints, and avoid exposing any trading, wallet, webhook, or key-management methods to autonomous agents unless you add explicit approval gates, limits, and separate scoped credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (48)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The architecture doc explicitly describes a live trade execution pipeline, including quoting, simulation, and `dex.executeSwap`, which contradicts the stated skill metadata that this SDK is 'data retrieval only' and read-only. This kind of capability mismatch is dangerous because downstream agents, reviewers, or users may grant the skill broader trust than intended, enabling unauthorized financial actions if execution features exist or are later added without corresponding safeguards.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The roadmap includes numerous non-read-only capabilities such as `execute.arbitrage`, `execute.dca`, `execute.twap`, treasury management, conditional automation, and multi-step atomic execution, directly conflicting with the declared read-only financial-data purpose. In an agent ecosystem, this discrepancy increases the risk of capability smuggling, where a seemingly harmless data skill evolves into an execution surface without users or integrators realizing the trust implications.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The OpenClaw integration example shows agents auto-registering `execute` tools from this SDK, which normalizes trade/execution capabilities despite the skill being presented as read-only. That mismatch is dangerous because agent builders may include the package under false assumptions and unintentionally expose high-risk actions in autonomous workflows.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as read-only financial data retrieval, but this document exposes execution primitives such as order placement and conditional actions. That mismatch can cause an agent, integrator, or user to grant trust and permissions under false assumptions, creating a path to unintended live trading or other state-changing actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Order execution is materially different from read-only market data access because it can directly change financial positions and cause monetary loss. In an agent context, undocumented trading functions are especially dangerous because downstream systems may allow invocation under the assumption that the skill cannot perform side effects.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
Branding the SDK as a universal finance data platform while contradicting the claimed read-only posture can mislead reviewers and users about the real risk profile. This is dangerous because deceptive or inconsistent capability framing reduces scrutiny around high-impact actions like trade execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The example agent exposes sports betting, odds comparison, and prediction-market arbitrage workflows that go beyond the stated skill scope of read-only market, price, and fundamentals data. This is dangerous because downstream users and agent frameworks may rely on the manifest description for trust and policy decisions; undisclosed gambling/arbitrage capabilities can bypass expected guardrails and enable higher-risk financial behavior.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The example materially exceeds the stated "data retrieval only" scope by demonstrating execution-oriented workflows, including a production batch with swap/deposit actions and actual registration of protocol monitoring webhooks. Even though the trade path is commented or simulated in this file, examples strongly shape agent behavior and can cause downstream systems or users to treat the SDK as safe for action-taking and remote callbacks.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code reads a webhook URL from environment configuration and registers remote monitoring callbacks, creating outbound data flow not expected from a read-only market-data SDK example. This can leak portfolio/protocol activity to third-party endpoints or normalize hidden exfiltration channels in agent deployments.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
An SDK advertised as read-only financial retrieval should not expose API key management capability, because credential-management operations expand the trust boundary from passive data access to administrative control. In agent contexts, this can enable unauthorized key creation, rotation, disclosure, or misuse if downstream code assumes the package is safe for low-risk read-only use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module adds trading-adjacent capabilities such as token unlock schedules and yield opportunity discovery, which go beyond the declared scope of a read-only market/fundamental data SDK. While these methods are still data retrieval only, the comments explicitly position them for timing trades and yield-seeking workflows, creating a scope mismatch that can mislead downstream agents, policy engines, or users who rely on the manifest to constrain financial behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This module advertises and exposes API key lifecycle, account usage, admin usage, and health/status operations even though the skill metadata says it is a read-only financial data SDK. That scope mismatch is dangerous because agent frameworks may surface these methods as available tools, enabling unintended account/security-sensitive actions and privileged introspection that users would not expect from a market-data skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code includes methods to create, list, rotate, revoke, and verify API keys, which are credential-management operations unrelated to a stated read-only market-data skill. In an agent context, such methods materially increase risk because prompt injection, tool misuse, or confused-deputy behavior could cause credential issuance, rotation, or revocation with direct account security impact.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Platform-wide usage statistics and detailed health/service introspection exceed the expected scope of a read-only finance-data skill and can disclose internal operational metadata. While less severe than credential mutation, these endpoints can aid reconnaissance, reveal admin-only information, and broaden the attack surface available to an LLM agent.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The revokeKey method claims to revoke a key but actually performs a GET request to the key resource instead of a delete/revoke operation. This is dangerous because callers may falsely believe a credential has been invalidated when it remains active, creating a security gap during incident response or key rotation.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module exposes state-changing trading functionality (`buildSwapTx`, `simulateSwap`, `executeSwap`) inside a skill whose metadata explicitly claims 'data retrieval only' and 'read-only endpoints'. That mismatch is dangerous because downstream agents, users, or policy engines may trust the manifest and permit this module in contexts where transaction-capable code should be blocked, enabling unintended asset movement or signing flows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
`agentLPEnter` performs automated liquidity provision, which is a write operation that can commit user funds on-chain, directly contradicting the declared read-only SDK scope. In an agent ecosystem, such capability smuggling is especially risky because policy decisions may rely on metadata rather than deep code inspection.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file header explicitly advertises 'On-chain trading' and 'execute' behavior, which conflicts with the package description claiming a read-only financial data SDK. This inconsistency is a security-relevant integrity issue because it signals that the implemented capability set may exceed declared trust boundaries and can mislead reviewers or automated allowlisting systems.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`executeSwap` obtains a quote, builds a transaction, asks an external signer to sign it, and then broadcasts it, creating a complete fund-moving path in a supposedly read-only SDK. Even if signing is external, the skill can steer agents into authorizing and submitting on-chain swaps, which is materially dangerous in autonomous or semi-autonomous environments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`agentLPEnter` directly posts LP entry parameters to a backend endpoint, enabling automated liquidity provision and exposure to pool, slippage, and impermanent-loss risks. This is incompatible with a read-only data skill and could cause users or agents to commit capital unexpectedly under a false assumption of non-mutating behavior.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The module exposes active trading, payment, and treasury-management operations even though the skill is described as a read-only financial data SDK. This mismatch is dangerous because an integrating agent or user may grant trust, permissions, or deployment approval under false assumptions, leading to unauthorized financial actions and fund movement.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file header explicitly presents the component as autonomous agent action/execution logic, which is incompatible with the advertised read-only market-data purpose. In this context, hidden or unjustified execution primitives increase the chance that a supposedly safe data skill is used to place trades or trigger other irreversible actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
x402 payments and agent treasury management are state-changing financial capabilities unrelated to passive data retrieval. In a skill marketed as read-only, these methods create a high risk of misuse because downstream systems may not sandbox or review them as dangerous money-moving operations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation states this module is for agent execution and acting, which directly contradicts the skill's documented read-only intent. Documentation/manifest inconsistency is a security issue here because operators and agents often rely on metadata to decide trust boundaries, allowed permissions, and review depth.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises a read-only financial data SDK, but this module exposes a state-changing trading endpoint via `placeOrder()`. That mismatch is dangerous because agents or users may grant trust, permissions, or automation authority under the assumption that the package cannot execute trades, when it can submit orders and include wallet-related parameters.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.