Back to skill

Security audit

Orderly Ui Components

Security checks across malware telemetry and agentic risk

Overview

This is a coherent trading-workflow skill, but its examples cover live wallet, order, position, withdrawal, and leverage actions without consistently requiring strong user confirmation or sandbox safeguards.

Review carefully before installing or using this skill to build a live trading app. Prefer sandbox/test accounts first, require explicit confirmations for orders, closes, withdrawals, and leverage changes, display network/account/amount/fees/slippage/liquidation impact before submission, and avoid granting broad wallet or trading-key authority to unreviewed code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes order submission code and labels like 'Order submitted' without any caution that these examples may execute real trades when wired to a live account. In a trading-interface skill, omitting a warning materially increases the chance that a developer copies the example into production or testing against live funds, leading to unintended financial actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The wallet connection examples encourage immediate wallet connection and display account information, but provide no warning about privacy implications, network verification, or the risk of connecting a real wallet to an unreviewed application. In the context of a trading UI skill, wallet connectivity is security-sensitive because it is the gateway to signing actions and exposing account metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The 'Close Position' UI presents a destructive financial action as a simple button inside an informational sheet, with no confirmation, risk disclosure, or indication of irreversible market impact. In a trading context this is especially dangerous because users may trigger liquidation-like or loss-realizing actions accidentally if developers follow the example literally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.