longbridge-dca
Warn
Audited by Snyk on May 25, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly designed to execute real brokerage transactions. It provides mutating commands to create/update/pause/resume/stop recurring investment (DCA) plans that "commit real money on a schedule" and will "automatically place buy orders" from the user's brokerage account. The SKILL lists concrete CLI invocations for create/update/pause/resume/stop (e.g.,
longbridge dca create <SYMBOL> --amount <N> --frequency ...), requires the OAuth "trade" scope, and even describes MCP write tools such asmcp__longbridge__create_dca_plan. These are specific, non-generic financial execution operations (sending orders/transactions), not generic tooling. Therefore it meets the criteria for Direct Financial Execution.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (2)
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
W021
MEDIUMHidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
Audit Metadata