aptos-trading
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill documentation explicitly states that private keys are stored in a local configuration file ('/Users/alice/agent_scripts/wallets.yaml'). This practice exposes highly sensitive financial credentials to any process with read access to the user's home directory.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on local script execution ('alpha_executor.py') and the 'just' command runner to perform its core functions, including wallet validation and trading.
- [DATA_EXFILTRATION] (MEDIUM): The implementation utilizes 'aiohttp' for network requests to external price feeds and blockchain nodes. When combined with access to wallet credentials, this creates a potential vector for exfiltration of private keys or unauthorized transactions.
- [SAFE] (LOW): The skill ingests external data from third-party price feeds (CoinGecko, Binance) to trigger blockchain actions, creating a surface for indirect influence on automated trading behavior.
- [SAFE] (LOW): The use of absolute hardcoded paths (e.g., '/Users/alice/') leaks information about the host system's directory structure and identifies specific user accounts.
Recommendations
- AI detected serious security threats
Audit Metadata