Back to plugin

Security audit

LP Evil Panda

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims—runs an autonomous crypto LP bot—but it ships with exposed credentials and risky automated trading defaults that need review before use.

Install only if you intend to run an autonomous crypto trading bot. Before use, delete the packaged .env, rotate/replace the exposed API key, use a separate low-balance wallet with OpenWallet policies, keep the circuit breaker enabled, reduce MAX_POSITIONS, avoid private-key fallback, and review any setup command before allowing global npm installs.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
.env:1
Evidence
LP_AGENT_API_KEY=[REDACTED]

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/lp-agent-client.js:30
Evidence
this.apiKey = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
README.md:71
Evidence
| Private key | `PRIVATE_KEY=[REDACTED]` | Env var (least secure) |

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/lp-agent-client.ts:124
Evidence
this.apiKey = [REDACTED];