trading-operations
Warn
Audited by Snyk on Feb 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading operations tool tied to broker integrations (KiteConnect, Dhan) and contains concrete APIs/commands that place and manage market orders and positions. Examples: curl/http endpoints to view /positions and /orderbook, POST endpoints that enable/restart strategies (which drive orders), and explicit financial-execution endpoints to flatten/close positions:
- POST http://127.0.0.1:5001/api/v1/strategy/enable (enables strategies that will trade)
- POST http://127.0.0.1:5001/api/v1/strategy/restart (restart trading strategies)
- POST http://127.0.0.1:5001/api/v1/flatten (kill switch)
- POST http://127.0.0.1:5001/api/v1/positions/flatten (close all positions)
- POST http://127.0.0.1:5001/api/v1/positions/close (close specific symbol)
It also requires broker OAuth/token management (Reconnect Zerodha), references orderbook, PnL and risk limits, and contains deploy scripts that "enable top-ranked strategies" and configure risk params. These are specific, explicit mechanisms to execute and manage live trades (move money/positions), so this qualifies as Direct Financial Execution.
Audit Metadata