Back to skill

Security audit

Trading212 API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Trading 212 helper, but it gives an agent live brokerage trading and sensitive account-data workflows with safeguards that are too light for real-money use.

Review carefully before installing. Use DEMO mode first, keep API keys out of chat and shell history where possible, require explicit confirmation before every live order or cancellation, verify ticker/account/environment details manually, and store downloaded reports only in a private location with cleanup when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill is explicitly designed to place trades, buy stock, sell shares, and cancel orders, including against LIVE accounts with real money, but the top-level invocation description does not prominently warn that these actions can be irreversible and financially consequential. In a trading context, insufficient upfront safety framing materially increases the risk of accidental real-money transactions or misuse by users who think they are only exploring the API.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes shell export examples for API keys, secrets, and precomputed authorization headers without an immediate warning that command-line entry can expose credentials via shell history, process inspection, copied transcripts, or shared terminal logs. Because these credentials authorize brokerage actions, accidental exposure could enable unauthorized account access and trading within the API's permission scope.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The CSV download example writes a financial report to a predictable local filename without clearly warning that the file may contain sensitive account activity, balances, and tax-relevant data. On shared or poorly secured systems, this increases the chance of unintended disclosure even if the workflow itself is legitimate.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.