setup
Fail
Audited by Snyk on Mar 6, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to ask the user for API keys/secrets and then write those exact values into a generated .env file (and explicitly says to write provided keys directly), which requires the LLM to handle and output secret values verbatim.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The setup explicitly downloads and installs remote binaries/source that are executed during runtime—e.g., it uses http://prdownloads.sourceforge.net/ta-lib/ta-lib-0.4.0-src.tar.gz (and suggests downloading a wheel from https://github.com/cgohlke/talib-build/releases) to build/install TA-Lib, which fetches and executes external code required by the skill.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for a trading/backtesting environment and includes specific financial APIs: it installs ccxt (a crypto exchange API library) and OpenAlgo (Indian markets API) and asks the user to provide and store exchange API keys (API key + secret) and an OpenAlgo API key in .env. These are specific, finance-focused tools that enable authenticated access to exchanges and trading APIs (crypto exchanges and market-data/trading providers). Even though this particular skill only performs setup and not order placement itself, it explicitly configures credentials and libraries used for authenticated trading/market interaction, which falls under Direct Financial Execution risk.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to run system-level installation commands (including explicit sudo apt-get, sudo make install and writing into /usr) which require elevated privileges and modify the machine's system state.
Audit Metadata