Skills
skills/aicoincom/aicoin-skills/aicoin-trading/Gen Agent Trust Hub

aicoin-trading

Warn

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The script scripts/exchange.mjs automatically executes npm install to download the ccxt package if it is not found in the local environment, introducing a dependency on an external registry at runtime.
  • [COMMAND_EXECUTION]: The skill relies on execSync and execFileSync in scripts/trade.mjs and scripts/auto-trade.mjs to chain script executions and pass parameters, which increases the risk of command injection if parameters are not strictly validated.
  • [CREDENTIALS_UNSAFE]: A functional API key and secret are hardcoded in lib/defaults.json. Although described as a public free tier, hardcoding secrets in source files is a security risk and facilitates unauthorized use of the vendor's resources.
  • [COMMAND_EXECUTION]: The scripts/auto-trade.mjs script is designed to execute trades automatically by setting the confirmed parameter to true, which directly contradicts the safety 'Iron Rules' defined in SKILL.md that require manual user confirmation for all trades.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 02:55 PM