htx/spot-trading
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The huobiapi.github.io link is documentation and likely benign, but the GitHub Releases URL points to a direct install.sh (intended to be piped to bash), which is high-risk because executing an unvetted shell script from an external repo can run arbitrary malicious code.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's Installation step runs a remote script via curl | bash fetching https://github.com/htx-exchange/htx-skills-hub/releases/latest/download/install.sh which executes remote code as part of setup, making it a runtime/external dependency that can control execution.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a spot trading integration with endpoints for placing orders, batch orders, canceling orders, querying orders, and borrowing margin (e.g., POST /v1/order/orders/place, /v1/order/batch-orders, /v1/order/orders/{order-id}/submitcancel, /v1/order/orders/batchcancel, and /v1/margin/orders). It requires an API key with trade permission and directly enables market/limit/IOC/FOK orders and margin borrowing — i.e., it is specifically designed to execute financial transactions on behalf of the user.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata