Okx Strategy Factory

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading automation pipeline, but it can reach live wallet, VPS deployment, and GitHub publishing actions without consistently requiring explicit approval at each high-impact step.

Review before installing. Use this only if you intend to let an agent help generate, test, package, and potentially deploy live on-chain trading strategies. Keep credentials in scoped environment variables or a secret manager, prefer read-only or limited keys where possible, require explicit approval before production deployment, GitHub release, token approval, swap, transfer, or contract-call actions, and start with dry-runs or test funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill metadata and top-level documentation present this as a coordinated five-agent strategy pipeline, but the described behavior includes repository publishing, filesystem-driven validation, arbitrary file copying, and local hook logic that materially expands its capabilities beyond the declared purpose. In an agent setting, this kind of scope mismatch is dangerous because users and orchestration layers may grant trust or permissions based on the stated purpose, while the actual workflow can write to repos, manipulate local files, and trigger deployment-adjacent actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly describes deployment to a VPS, process management, rollback behavior, and publishing actions, but it does not prominently warn that the skill can perform system-impacting operations and external releases. In a multi-agent automation context, users may invoke the skill expecting analysis or code generation only, while it can trigger infrastructure changes and publication workflows, increasing the risk of unintended deployment or exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly describes SSH-based VPS deployment and GitHub publishing as part of the workflow, but does not provide a clear warning that these are system-impacting operations requiring explicit user confirmation and scoped credentials. In an agent skill context, operational steps can be executed or strongly suggested automatically, so omission of consent and safety boundaries increases the risk of unintended remote changes, service deployment, rollback actions, or public release of code/artifacts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The prerequisites list OKX API keys, an agentic wallet with TEE signing, VPS access, and optional 1Password usage, but does not warn users not to paste secrets into prompts or explain how credentials are isolated and used. In a multi-agent trading/deployment pipeline, these credentials could enable fund movement, account access, or infrastructure compromise if mishandled by the skill or exposed through logs, generated files, or downstream agents.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases include broad terms such as strategy development, backtest, iteration strategy, publish skill, and deploy strategy, which are common in ordinary discussion and can cause unintended activation. In this skill's context, accidental invocation is more dangerous than usual because the documented workflow includes spawning agents, writing strategy state, publishing artifacts, and deployment steps.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The template defines activation based on any trigger keyword match, but provides no constraints for exact matching, disambiguation, exclusions, or user confirmation. In an agent skill, this can cause unintended skill invocation and inappropriate context loading, which may steer subsequent actions using the wrong specification or authority source.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The keyword-based loading rules are underspecified and treat loaded references as ground truth without defining robust gating or conflict resolution beyond a simple precedence example. This creates a prompt-injection-like risk surface where accidental or adversarial wording may trigger the wrong references, overriding safer baseline behavior and producing incorrect or unsafe agent actions.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The document provides direct wallet transfer and contract-call commands that can move funds or trigger irreversible on-chain actions, but it does not prominently warn operators that these actions spend real assets and cannot be undone. In a strategy-automation skill, that omission materially increases the chance of unsafe execution by downstream agents or users.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The swap workflow documents approve and swap as normal execution steps without clearly warning that token approvals can grant spending rights and swaps will spend user assets. In an automated trading context, omission of those warnings is more dangerous because agents may operationalize the flow at scale and approvals can persist beyond a single trade.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to write a review artifact into the workspace, but it does not require a user-visible warning or confirmation before modifying files. This is dangerous because even non-code outputs can overwrite existing analysis records, create unintended repository changes, or surprise users who expected read-only review behavior.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill instructs the agent to append cross-strategy lessons into a shared reference file, which affects content outside the immediate strategy scope. This is more dangerous than a local review write because it can contaminate shared documentation, introduce incorrect generalized guidance across strategies, and modify common project knowledge without explicit user approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal