htx/futures-trading

Fail

Audited by Snyk on Jun 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). The GitHub releases install.sh is high-risk because it's a direct shell script intended to be executed (curl | bash) from a non-obviously-official repo (potential malware distribution), while the huobiapi.github.io link is just documentation and benign — but the presence of the executable install.sh makes the overall source suspicious.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a futures trading API integration with write endpoints that place, modify, cancel and execute market orders (e.g., /v1/swap_order, /v1/swap_cross_order, /v1/swap_batchorder, /v1/swap_cross_trigger_order, /v1/swap_lightning_close_position, etc.). It requires an API key with "futures-trade" permission and supports actions that directly move financial value (open/close leveraged positions, market/lightning closes, TP/SL and trigger orders, leverage changes). Those are specific market-order / crypto trading capabilities — not generic tooling — and therefore constitute direct financial execution authority (even though the skill includes safety/confirmation requirements).

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 8, 2026, 03:35 AM
Issues
3
Security Audit — snyk — htx/futures-trading