htx/spot-account
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 1.00). High risk — this is a direct download of an install.sh from an unverified GitHub repo (htx-exchange/htx-skills-hub) and the documented "curl ... | bash" pattern would execute remote code immediately, which is commonly used to distribute malware if the source is not trusted.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The Installation step runs remote code via curl -fsSL https://github.com/htx-exchange/htx-skills-hub/releases/latest/download/install.sh | bash -s -- spot-account, which fetches and immediately executes a remote script as a required install/runtime dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill exposes explicit write APIs/CLI commands that move funds: /v1/account/transfer (spot/margin/otc transfers), /v1/futures/transfer (spot ↔ COIN‑M futures), /v2/account/transfer (spot ↔ USDT‑M linear perpetual transfers), and /v1/point/transfer (points transfer). The documentation shows POST examples and required auth/trade permissions and describes transfer workflows (including showing source/destination/currency/amount and requiring confirmation). These are specific financial-execution operations (sending/transferring assets), not generic tooling, so the skill grants direct financial execution authority.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata