Back to skill

Security audit

UnifAI Trading Suite

Security checks across malware telemetry and agentic risk

Overview

This skill appears trading-related rather than malicious, but it needs review because it gives an AI broad external tool access that may include trading actions without strong user approval controls.

Install only if you understand that this is an agentic trading integration, not just a static market-data viewer. Use sandbox or read-only API keys, avoid connecting wallets or accounts with live trading authority unless you add explicit confirmation and limits, do not expose the FastAPI server publicly as-is, and review/pin dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions even though it requires environment variables and performs networked operations. This hides its true capability surface from reviewers and users, making it easier to access secrets and external services without clear disclosure or policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The published description frames the skill as a narrow trading-insights tool, but the detected behavior is substantially broader, including a web server, generic AI agent functionality, dynamically discovered tools, and trade/portfolio actions. This mismatch undermines informed consent and review, and can conceal riskier capabilities such as arbitrary tool use, exposed endpoints, or transaction-like actions beyond what users expect.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The agent fetches dynamic tools from the UnifAI network at runtime and passes all returned tools directly to the model, then executes any tool calls the model requests without local allowlisting or scope validation. In a trading-insights skill, this creates an unnecessary capability expansion: if the tool registry includes unrelated or sensitive tools, prompt injection or model error could trigger actions outside the intended market-data domain.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This example grants the model a broad general-purpose tool-execution path even though the demonstrated use case only needs limited read-only trading or cryptocurrency data access. The combination of runtime-discovered tools and automatic execution of model-selected tool calls increases the attack surface and can let untrusted user input steer the agent into using capabilities not required for the example.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The chat workflow retrieves dynamic tools generically and then allows the model to invoke any returned UnifAI tool, rather than enforcing a strict allowlist limited to prediction-market and sentiment functions. If the connected UnifAI account exposes broader tools, prompt injection or simple model error could cause unauthorized actions, data access, or use of capabilities far outside the skill's declared purpose.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The docstring frames this module as a thin Polymarket wrapper, but the implementation later enables dynamic loading of all UnifAI tools and LLM-mediated tool selection. In this context, that mismatch is security-relevant because users of a market-data client may not expect that order-placement or other broader capabilities can be reached indirectly, increasing the chance of unintended or unsafe tool execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client calls get_tools(dynamic_tools=True) and passes the full tool set to an LLM, which is then trusted to choose a tool based on prompt text containing a user-influenced tool name and parameters. This creates excessive capability exposure: if additional tools are available in the environment, or if the model selects an unintended tool, the wrapper can perform actions beyond market-data retrieval, including potentially sensitive or state-changing operations such as trading.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The toolkit metadata describes an 'insights suite', but the file exposes an execute_trade action that performs a safety-sensitive financial operation. This capability mismatch is dangerous because downstream agents or users may grant trust, permissions, or invoke the skill assuming it is informational only, increasing the chance of unintended or unauthorized trading.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The action and docstring claim to 'Execute a trade on a prediction market,' but the implementation only returns a simulated success response. This can mislead calling agents into believing a real trade was placed, causing incorrect portfolio assumptions, duplicate follow-up actions, or risky automated decisions based on false execution state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly advertises commands and tools for market querying, order placement, and trade execution, but it does not present any user-facing warning, confirmation requirement, or clear distinction between analysis-only and account-impacting actions. In a trading skill, that omission is risky because users or downstream agents may invoke capabilities that can spend funds or alter market positions without appreciating the financial consequences.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The setup guidance instructs users to provide API keys for LLMs, UnifAI, and market services, but it does not warn that prompts, market queries, and analysis data may be transmitted to third-party providers. This is a real transparency and privacy issue because users may unknowingly send sensitive trading intent, account-linked usage, or proprietary research context to external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README presents an AI-powered trading agent with market integrations and execution-oriented language but does not clearly warn users that use of the system may affect real positions or funds, or that automated trading decisions can incur financial loss. In the context of prediction markets and agentic trading, this omission can mislead users into treating the skill as a low-risk analysis tool rather than software capable of influencing or enabling financially consequential actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly sends user-provided tokens and queries to external services such as Google/SerpAPI, Twitter/X, Elfa, and TokenAnalysis, but it does not warn users that their inputs may be transmitted to third-party providers. This creates a privacy and data-handling risk, especially if users enter sensitive watchlists, proprietary research topics, or identifying search terms under the assumption that processing is local.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
User messages and accumulated conversation/tool context are transmitted to external LLM and tool providers without an explicit notice or consent check at the point of use. In a trading context, queries may contain sensitive strategy, account, or market-interest information, so silent onward transfer increases privacy and compliance risk.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The health endpoint reveals whether specific API credentials are configured by returning booleans for UNIFAI_AGENT_API_KEY and GOOGLE_API_KEY. While it does not expose the secrets themselves, it leaks useful reconnaissance data to unauthenticated callers about deployed integrations and backend capabilities, which can help attackers profile the service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
A trade-execution action is exposed without any built-in warning, confirmation, spending limits, or secondary authorization, despite representing a potentially irreversible financial action. In an agentic environment, this lowers the barrier for accidental, prompt-induced, or unauthorized trade placement if the placeholder is later wired to a real broker.

Memory Manipulation

High
Category
Memory Poisoning
Content
@app.post("/api/clear")
async def clear_session(session_id: str = "default"):
    """Clear conversation history for a session."""
    if session_id in agents:
        agents[session_id].clear_history()
    return {"status": "cleared", "session_id": session_id}
Confidence
90% confidence
Finding
Clear conversation

Known Vulnerable Dependency: litellm — 10 advisory(ies): CVE-2024-4888 (Arbitrary file deletion in litellm); CVE-2024-2952 (LiteLLM has Server-Side Template Injection vulnerability in /completions endpoin); CVE-2026-49468 (LiteLLM: Authentication Bypass via Host Header Injection) +7 more

Critical
Category
Supply Chain
Confidence
92% confidence
Finding
litellm

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-54279 (aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi) +7 more

High
Category
Supply Chain
Confidence
85% confidence
Finding
aiohttp

Known Vulnerable Dependency: httpx — 2 advisory(ies): CVE-2021-41945 (Improper Input Validation in httpx); CVE-2021-41945 (Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `http)

Critical
Category
Supply Chain
Confidence
74% confidence
Finding
httpx

Known Vulnerable Dependency: web3 — 1 advisory(ies): CVE-2026-40072 (web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling)

Low
Category
Supply Chain
Confidence
73% confidence
Finding
web3

Known Vulnerable Dependency: pydantic — 4 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.) +1 more

High
Category
Supply Chain
Confidence
80% confidence
Finding
pydantic

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
69% confidence
Finding
python-dotenv

Known Vulnerable Dependency: litellm==1.80.5 — 10 advisory(ies): CVE-2026-49468 (LiteLLM: Authentication Bypass via Host Header Injection); CVE-2026-35029 (LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint); GHSA-69x8-hrgq-fjj8 (LiteLLM: Password hash exposure and pass-the-hash authentication bypass) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
litellm==1.80.5

Known Vulnerable Dependency: aiohttp==3.9.0 — 10 advisory(ies): CVE-2026-54279 (aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
aiohttp==3.9.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.