File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- .env:1
- Evidence
LP_AGENT_API_KEY=[REDACTED]
Security audit
Security checks across malware telemetry and agentic risk
The skill mostly does what it claims—runs an autonomous crypto LP bot—but it ships with exposed credentials and risky automated trading defaults that need review before use.
Install only if you intend to run an autonomous crypto trading bot. Before use, delete the packaged .env, rotate/replace the exposed API key, use a separate low-balance wallet with OpenWallet policies, keep the circuit breaker enabled, reduce MAX_POSITIONS, avoid private-key fallback, and review any setup command before allowing global npm installs.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
LP_AGENT_API_KEY=[REDACTED]
this.apiKey = [REDACTED];
| Private key | `PRIVATE_KEY=[REDACTED]` | Env var (least secure) |
this.apiKey = [REDACTED];