Bybit Exchange AI Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Bybit trading helper with disclosed safety rules, but it also grants broad financial authority and can automatically replace its own skill files from remote sources.

Review carefully before installing. Use only a dedicated limited-balance Bybit sub-account, never enable withdrawals, prefer testnet or read-only keys first, and avoid hosted AI sessions for real API secrets. The main concern is not malware telemetry, which is clean, but the skill's automatic remote self-updating and very broad financial action surface.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (21)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill includes a self-update mechanism that fetches remote content and overwrites local skill files at session start. Even with checksum checks, this materially expands the trust boundary, creates a remote code/content supply-chain channel, and enables persistent modification of agent behavior unrelated to the immediate user request.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to inspect local environment variables, shell startup files, and filesystem paths to discover credentials. That exceeds a narrow trading skill's stated purpose and encourages the agent to access sensitive local configuration that may contain unrelated secrets or private key material.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The documented module scope extends beyond straightforward trading into card activity, fiat/P2P, copy trading, bots, tokenized stocks, commodities, and broader account-management actions. This scope creep increases the reachable attack surface and permission footprint, making misuse or prompt-induced harmful actions more likely.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The module exposes affiliate, referral, sub-account, demo-account, agreement-signing, and API/user-management endpoints that extend beyond a narrowly described natural-language trading skill. In an agent setting, this broadens accessible authority and creates unnecessary opportunities for privacy leakage, account enumeration, or unintended account-management actions if the model is prompted to use these endpoints.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: Deposit-address and withdrawal-address retrieval are sensitive wallet-management capabilities that are not clearly implied by the skill's trading-focused description. In an LLM-driven tool, these endpoints can facilitate fund-movement preparation, address harvesting, or disclosure of sensitive financial routing data without a strong trading justification.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The API key info endpoint allows inspection of authentication capabilities and permissions, which is sensitive operational metadata not obviously necessary for placing trades or viewing balances. In an agent context, exposing key-permission introspection can aid privilege discovery, targeting of higher-risk actions, and leakage of account security configuration.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The README instructs users to invoke the skill with a broad natural-language prompt that causes an assistant to fetch and install remote skill content automatically. Because the trigger language is generic and the skill is high-risk by design (live trading with credentials), this increases the chance of unintended activation or users authorizing sensitive actions without understanding the installation and execution scope.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README explicitly promotes automatic download and installation of a remote SKILL.md with 'zero installation required,' but does not prominently warn users that this causes code/instruction ingestion from a live URL. Combined with the documented self-update behavior, this creates a supply-chain style risk where the skill behavior can change after trust is established, especially dangerous in a trading context with API keys and write-capable actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The cloud AI instructions tell users the assistant will request API credentials interactively and keep them in session memory, but they do not clearly warn that supplying exchange secrets to a third-party AI session may expose those credentials to platform logging, retention, plugins, or model providers. In a trading skill, disclosure of API keys can enable unauthorized trading, account manipulation, and financial loss even if withdrawal is disabled.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The module documents state-changing financial actions such as internal transfers and borrowing with no embedded requirement for user confirmation, risk disclosure, amount verification, or dry-run preview. In an autonomous or semi-autonomous assistant, this materially increases the chance of accidental fund movement, leverage creation, or prompt-induced harmful transactions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases for the Earn module include very broad financial actions like "Redeem" and "Deposit USDT," which can easily overlap with unrelated wallet, spot, or funding intents. In a trading skill with authenticated order placement capability, ambiguous routing can cause the wrong module to activate and lead to unintended staking or redemption actions in Earn products.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Phrases like "fund pool" and especially "fixed deposit" are generic enough to match banking, wallet, or unrelated investment requests, creating a prompt-routing ambiguity. Because this module contains actionable fixed-term staking and redemption flows, misclassification could push users into locked products or early-redemption paths they did not intend.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The Advance Earn examples use highly overloaded terms like "leveraged position" and "discount buy," which are commonly associated with derivatives trading or ordinary spot buying rather than structured earn products. In this context, a routing mistake is more dangerous because Advance Earn products have complex payoff structures, quote expiry constraints, and stake/redeem mechanics that could materially differ from what the user intended.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Generic commands such as "add liquidity," "remove liquidity," and "add margin" can collide with DeFi, exchange liquidity, derivatives margin, or wallet-management intents outside this specific earn product. Since this module supports authenticated liquidity operations that move funds and alter leveraged pool exposure, ambiguous activation could trigger financially significant actions in the wrong subsystem.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: PWM trigger phrases such as "investment plan" and "fund management" are extremely broad and can match many generic portfolio or advisory requests. In a module that includes authenticated subscription, redemption, claims, and even institutional-side fund-management endpoints, overbroad activation raises the risk of exposing or initiating high-sensitivity workflows under the wrong intent.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The module uses broad natural-language trigger examples such as 'Buy 500U of BTC' and 'Sell all my ETH' without defining confirmation, scope, or disambiguation requirements. In a trading skill, this can cause the agent to interpret casual or ambiguous user text as authorization for live order placement, increasing the risk of unintended financial transactions.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documentation provides direct instructions for creating and canceling spot orders, including market buys and sells, but does not require any explicit user warning or acknowledgement that these actions can immediately and irreversibly move funds. Because the skill is designed for authenticated live trading, omission of a warning and confirmation flow materially raises the chance of accidental, high-impact financial loss.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The module advertises broad natural-language triggers like 'Split my BTC buy into smaller orders over 10 minutes' and 'Place an iceberg order' without requiring explicit confirmation, risk checks, or sufficient transactional context. In a live trading skill, such permissive invocation phrasing can cause an agent to interpret casual user text as authorization to place real market-impacting orders, increasing the chance of unintended or unsafe execution.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This module documents authenticated endpoints that create and close live trading bots managing real funds, but it does not require explicit user confirmation, risk disclosure, or safeguards before executing those actions. In an AI-agent context, natural-language ambiguity or prompt injection could cause unintended bot creation, liquidation, or asset conversion, leading to direct financial loss.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs accepting API keys pasted into the conversation on hosted platforms. That sends highly sensitive trading credentials through the chat channel and provider infrastructure, increasing the risk of logging, retention, leakage, prompt extraction, or later misuse.

Self-Modification

High

Category: Rogue Agent
Content: ## Auto Update The skill includes a self-update mechanism. At session start, it checks the `VERSION` file on GitHub. If a newer version is available, it downloads updated files listed in `MANIFEST` — keeping users on the latest version automatically. ## License
Confidence: 99% confidence
Finding: self-update

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal