gdex-trading
Audited by Socket on Mar 7, 2026
3 alerts found:
Obfuscated Filex2SecurityThe skill demonstrates a broad capability set aligned with cross-chain DeFi trading and wallet provisioning, but its footprint raises security concerns. The use of shared, hard-coded API keys, local generation of sensitive wallet material (private key and mnemonic) for authentication, and automatic provisioning of multiple wallets to backend services create multiple data-flow and credential-exposure risks. While the core functionality matches the stated purpose, the credential model and key handling require significant tightening (eliminate shared keys in code, enforce per-user keys or secure signing, minimize local key storage, enforce strict transport security and least-privilege scopes). Overall: SUSPICIOUS due to credential exposure and wallet-material handling; not clearly malicious but not confidently safe without substantial mitigations.
The code is a readable example automation script for trading via a GdexSkill SDK. It does not contain direct signs of conventional malware (no obfuscation, no dynamic code execution, no system calls), but it does carry meaningful security and operational risks: credentials appear to be pulled from source-level constants, operations that move real funds are executed automatically without confirmation or validation, and sensitive transaction data is logged. Recommended mitigations: do not store API keys in source; require explicit env vars and fail when missing; add interactive confirmation or dry-run mode before money-moving calls; add input validation and bounds checks for leverage/size; reduce logging of sensitive identifiers or redact in shared logs; review the SDK implementation ('../src') to confirm endpoints and absence of telemetry/backdoors.
No direct malicious code patterns detected (no eval, networking, or process control). However, this file contains hardcoded API keys which is a serious security/privacy issue: credentials in source can be leaked, abused, and should be rotated and moved to secure configuration. Treat this as a credential-exposure risk rather than active malware.