smart-money-signal-copy-trade

Fail

Audited by Snyk on May 29, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). The list includes an official OKX GitHub repo (low risk) and localhost dashboard URLs (not external), but also a third‑party GitHub account (https://github.com/yz06276) distributing a trading bot — unvetted personal GitHub repos/releases are a common malware distribution vector and thus raise concern.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a live crypto trading bot: it contains commands and flows to perform real-money trades (onchainos swap swap, onchainos swap quote, onchainos wallet contract-call for TEE signing/broadcast), requires Agentic Wallet login, asks the user to switch to Live Mode and input a SOL budget, writes live-mode parameters (DRY_RUN = False, PAUSED = False) to config.py, and auto-executes swaps. These are specific, purpose-built financial execution capabilities (crypto wallet signing and trade execution), not generic tooling.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 29, 2026, 03:05 AM
Issues
3
Security Audit — snyk — smart-money-signal-copy-trade