Back to skill

Security audit

Aster Futures

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for Aster mainnet futures trading, but it encourages plaintext handling and storage of private keys for financially sensitive actions.

Install only if you intentionally want an agent to interact with Aster mainnet futures. Do not paste or store private keys in chat, uploaded plaintext files, or TOOLS.md; use a dedicated restricted API wallet and secure secret storage instead. Manually review every order, cancellation, leverage or margin change, transfer, and withdrawal before it is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to collect and persist long-lived API wallet private keys in TOOLS.md, a local markdown file that is not a secure secret store. Persisting reusable trading credentials in plain text greatly increases the chance of credential theft, unintended disclosure to users, leakage through logs/version control, and subsequent unauthorized trading or withdrawals.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation normalizes users sending full API credentials, including a private key, as ordinary skill input. Even if later display is masked, the dangerous act is initial collection and handling of the full secret, which may expose credentials to transcripts, logs, memory, or downstream tooling and enable full compromise of the Aster account.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states requests use EIP-712 signing, but the example actually hashes data with solidity_keccak and then signs it using encode_defunct, which produces an EIP-191/personal-sign style signature rather than a true typed-data EIP-712 signature. This mismatch can cause implementers to generate invalid signatures, misunderstand what is being authenticated, or build incompatible signing logic for a trading API that protects order placement and account actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs storage of API wallet private keys in a markdown file without a clear warning about persistence risk or any compensating controls. Because these keys authorize authenticated futures actions, plaintext local storage can lead directly to account takeover, unauthorized order placement, balance transfers, or withdrawals if the file is exposed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill exposes live trading, leverage changes, margin changes, transfers, and withdrawal endpoints in a production mainnet context with only limited confirmation guidance for transactions. Insufficient warnings and guardrails around destructive financial actions increase the risk of accidental or socially engineered execution of irreversible or high-impact operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal