htx/futures-trading
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The GitHub releases install.sh is high-risk because it's a direct shell script intended to be executed (curl | bash) from a non-obviously-official repo (potential malware distribution), while the huobiapi.github.io link is just documentation and benign — but the presence of the executable install.sh makes the overall source suspicious.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's Installation step runs a curl-pipe-to-shell command that fetches and executes remote code from https://github.com/htx-exchange/htx-skills-hub/releases/latest/download/install.sh, which is a required installer and therefore a runtime external dependency that executes remote code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a futures trading API integration with write endpoints that place, modify, cancel and execute market orders (e.g., /v1/swap_order, /v1/swap_cross_order, /v1/swap_batchorder, /v1/swap_cross_trigger_order, /v1/swap_lightning_close_position, etc.). It requires an API key with "futures-trade" permission and supports actions that directly move financial value (open/close leveraged positions, market/lightning closes, TP/SL and trigger orders, leverage changes). Those are specific market-order / crypto trading capabilities — not generic tooling — and therefore constitute direct financial execution authority (even though the skill includes safety/confirmation requirements).
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata