Security audit

Monte Carlo Crypto Core

Security checks across malware telemetry and agentic risk

Overview

This is a paid trading simulator, but its billing setup uses unclear default credentials and an unrelated default skill ID, so it needs review before installation.

Install only if you are comfortable with each run contacting SkillPay using a user ID. Configure SKILL_BILLING_API_KEY and SKILL_ID explicitly, do not rely on the bundled defaults, and treat the Monte Carlo output as educational risk analysis rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill manifest exposes environment-variable and network-backed behavior without clearly declaring a permissions model or tightly scoping those capabilities to the Monte Carlo simulation purpose. In this context, hidden access to billing secrets and outbound requests increases the attack surface and makes it easier for a seemingly local analytics skill to exfiltrate data or trigger remote side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is a quantitative trading simulator, but the skill also performs remote billing, balance checks, payment-link generation, and appears to rely on API credentials not central to simulation. This mismatch is dangerous because users or orchestrators may invoke the skill expecting harmless computation while it performs financially sensitive external actions and uses secrets behind the scenes.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest and main description frame the skill as a simulation utility, but the setup and billing sections introduce external payment integration and user billing-state dependencies. This creates a deceptive trust boundary: a caller may believe they are running an offline math tool when they are actually participating in a monetized network workflow with user-specific charging behavior.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Requiring billing secrets and per-user payment handling for a Monte Carlo simulator is not obviously necessary and broadens the skill's operational privileges beyond its stated purpose. In a security review, unjustified secrets and payment flows are risky because they can be abused for unauthorized charging, user tracking, or secret misuse under the cover of a benign analytical feature.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file implements payment and billing operations even though the skill is described as a Monte Carlo crypto trading simulator. This mismatch is dangerous because users or reviewers may grant the skill trust and permissions appropriate for analytics, while it quietly introduces monetization and external payment interactions not justified by the stated function.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: External payment-processing capability is unnecessary for a Monte Carlo trading simulation core and expands the attack surface to include charging users, generating payment links, and transmitting identifiers to a third party. In this context, the capability is more dangerous because it is incongruent with the advertised analytics role and could facilitate unexpected charges or deceptive monetization.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The docstring says the function charges 1 token, but the request body submits amount 0. This inconsistency can mislead reviewers and users about what the code is doing and may mask future abuse if the backend interprets zero-amount charge calls in unexpected ways or if the client behavior differs from the documented intent.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill’s advertised purpose is local Monte Carlo simulation, but the CLI adds a billing action by importing and invoking an external billing module before performing the computation. That creates a hidden side effect and likely network/data transmission path unrelated to the core function, which can surprise users and expand the attack surface if the billing module is compromised or misused.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill can be triggered for broad trading-analysis requests without clear activation constraints, which increases the chance it is invoked in situations where the user did not explicitly consent to paid simulation or external billing behavior. Because this skill couples analytics with billing requirements, vague invocation boundaries make accidental charges or unintended external requests more likely.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill encourages using simulation outputs to justify trading advice without a clear warning that the results are probabilistic and not financial advice. In the context of crypto trading, this is especially risky because users may over-trust model outputs and make harmful financial decisions based on incomplete or misunderstood uncertainty.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code sends user identifiers to an external billing service without any visible notice, consent handling, or privacy explanation in the module. In a skill presented as a trading simulation tool, this undisclosed data transfer is more concerning because users would not reasonably expect billing-related sharing of their identifiers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The module accesses a sensitive billing API key and even provides a hardcoded fallback secret in source code. This is dangerous because embedded credentials can be extracted from the repository or package, reused by unauthorized parties, and enable abuse of the billing account or service integration.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script automatically attempts to charge the supplied user unless a hidden skip flag is provided, but gives no runtime notice or confirmation immediately before that action. In a skill context, this can lead to unexpected billing-related data transmission or charges, especially if invoked programmatically or by another agent on a user’s behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal