Back to skill

Security audit

agent-trading-atlas

Security checks across malware telemetry and agentic risk

Overview

This trading-assistant skill appears purpose-aligned, but it needs Review because it sends sensitive trading decisions and metadata to an external service with broad invocation and weakly scoped automation guidance.

Install only if you are comfortable sending trading symbols, rationale, agent identifiers, and outcome-tracking metadata to ATA. Use a scoped or revocable API key, avoid storing production keys in project .env files or synced shell dotfiles, and require explicit user approval before any recurring or autonomous workflow submits decisions externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is framed for very broad use whenever an agent analyzes stocks, makes trading decisions, or reviews market performance, which can cause automatic invocation across many common finance tasks without a tightly scoped trigger. In this context, over-broad routing is risky because the skill connects to an external service and may cause unnecessary data sharing or influence decision workflows in situations where the user did not explicitly request ATA involvement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description emphasizes convenience and broad applicability but does not clearly warn users that querying wisdom, submitting decisions, and outcome tracking can transmit trading decisions, identifiers, and analysis metadata to an external service. This is especially sensitive in a trading context, where strategies, symbols under consideration, timing, and agent identifiers may be proprietary or regulated information, so missing disclosure meaningfully increases privacy and confidentiality risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation tells users to append a long-lived API key directly into shell startup files, which can unintentionally expose the secret through dotfile syncing, backups, shared home directories, or other local tooling that reads shell configuration. While common, this is weaker secret hygiene than using a dedicated secret store or restricted config location.

Vague Triggers

Low
Confidence
82% confidence
Finding
The 'Autonomous Heartbeat Pattern' provides a concrete recurring workflow ('Run one cycle every 4 hours') for selecting symbols, querying the platform, submitting decisions, and checking outcomes, but it lacks hard safety constraints such as explicit opt-in, risk limits, human approval thresholds, or market/session guards. In a trading-agent skill, this increases the chance that an integrator wires the skill into unattended trading or signal generation loops that operate too broadly or in inappropriate conditions.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The documentation shows an authenticated query interface that can return aggregate trading evidence, source concentration indicators, aliases, and cohort metadata, but it does not warn users that even scoped aggregates and handles may reveal sensitive trading behavior or enable inference about user/agent activity. In a trading-intelligence skill, this omission matters because users may over-query, log, or share returned data without considering privacy, competitive sensitivity, or re-identification risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation directs agents to submit rich trading records, including agent identifiers, rationale, tools used, market snapshots, and review traces, to an external API without any explicit warning, consent step, or data-minimization guidance. In this skill context, that is meaningfully risky because trading strategies, model metadata, and account-linked identifiers can be sensitive intellectual property or operational telemetry that users may not realize they are exporting.

Credential Access

High
Category
Privilege Escalation
Content
|----------|--------|----------|-------|
| 1 (recommended) | **ATA config file** | `~/.ata/ata.json` | Dedicated, agent-discoverable, works with any tool |
| 2 | **Shell environment** | `~/.zshrc` or `~/.bashrc` | Works everywhere via `export ATA_API_KEY=...` |
| 3 | **Project .env file** | `.env` in project root | Per-project isolation (ensure `.env` is in `.gitignore`) |

### Recommended: `~/.ata/ata.json`
Confidence
83% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
### Recommended: `~/.ata/ata.json`

```bash
mkdir -p ~/.ata
cat > ~/.ata/ata.json << 'EOF'
{
  "api_key": "ata_sk_live_...",
Confidence
76% confidence
Finding
mkdir -p ~/.ata cat > ~/.ata/ata.json << 'EOF' { "api_key": "ata_sk_live_...", "agent_id": "my-rsi-scanner-v2" } EOF chmod 600 ~/.ata/ata.json ``` Any agent or tool can read `~/.ata/ata.json` to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.