Skill Trust Decision
edge
The skill spawns an external MCP server via npx with an API key, creating opaque code execution that is not inspectable, with undeclared shell execution and indirect credential exposure.
Most direct threat evidence
01
User installs and configures the 'edge' skill, providing their Edge Trade API key Entry · SKILL.md
02
Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm Escalation · SKILL.md
03
The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation Escalation · SKILL.md
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
User installs and configures the 'edge' skill, providing their Edge Trade API key
Entry · SKILL.md:33
02
Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm
Escalation · SKILL.md:28
03
The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation
Escalation · SKILL.md:35
04
MCP server can make arbitrary API calls on behalf of the user (trading, withdrawals) or exfiltrate the API key via its network access
Impact · SKILL.md:29
What drove the risk score up
Undeclared shell execution (npx) +20
SKILL.md declares mcp:spawn but does not disclose that npx is invoked, which is shell:WRITE execution. Users see only 'MCP server' and may not realize arbitrary code is downloaded and run.
Opaque external binary with credential access +18
The entire capability surface depends on the @edgedottrade/mcp npm package, which is a black box. The API key is passed as a startup argument, meaning the binary has access to it from initialization with no isolation.
Undeclared outbound network activity +10
SKILL.md declares 'network: outbound' only, but the MCP server likely makes multiple outbound requests beyond what is documented. The actual network footprint is invisible.
No dependency pinning +4
The npx command has no version pinning; any version of @edgedottrade/mcp is accepted, enabling supply chain attacks.
Most important evidence
High
Undeclared shell execution via npx spawn
The skill invokes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}' which downloads and executes an external npm package. This is shell:WRITE execution and constitutes remote code execution from an external source. The SKILL.md only mentions 'mcp: spawn' without disclosing that npx is used, making the execution vector invisible to users reviewing only the documented behavior.
SKILL.md:28 Replace npx spawn with a locally vendored, pinned binary or a direct HTTPS API client. If MCP spawning is truly required, use a pre-approved, audited binary rather than pulling from npm at runtime.
High
API key passed to opaque external binary
The Edge Trade API key is passed as a command-line argument to the spawned MCP server at startup. This means the credential is exposed to an external, uninspectable binary from the moment the skill initializes. The MCP server could use this key for any API operation including trading, withdrawal, or data exfiltration. SKILL.md describes it as 'Edge Trade API key (sk-...)' but does not warn about the attack surface of passing it to an external process.
SKILL.md:35 Pass the API key only to specific, audited API calls rather than as a startup argument. Consider a design where the skill makes the API calls directly and the MCP server only provides tooling logic, never receiving the credential.
Medium
No version pinning on external MCP package
The npx invocation uses '@edgedottrade/mcp' without any version specifier. This means any version—potentially a malicious one published after account compromise—is accepted. The '-y' flag bypasses confirmation prompts.
SKILL.md:29 Pin the package to a specific version (e.g., '@edgedottrade/[email protected]') and verify the integrity hash. Prefer vendoring the binary directly rather than relying on npx resolution.
Medium
Incomplete network activity disclosure
SKILL.md declares 'network: outbound' but the MCP server's actual network behavior includes: (1) querying the Edge Trade API for token/pair data, (2) webhook delivery for alerts, (3) polling loops for price subscriptions. These are not enumerated, making the full network footprint opaque.
SKILL.md:15 Document all expected network destinations and protocols (e.g., api.trade.edge for REST, webhook endpoints for alerts) rather than a generic 'outbound' declaration.
Medium
MCP spawn grants effectively unbounded capability escalation
The 'mcp: spawn' permission combined with spawning a full trading platform MCP server (with trade, portfolio, alerts capabilities) creates a significant capability escalation. The spawned process can access all tools declared in its schema. SKILL.md does not enumerate what the MCP server can do, leaving users unable to audit the actual attack surface.
SKILL.md:11 Document the full MCP tool schema and clarify that spawning gives the MCP server independent agency. Consider whether a direct API client (without MCP) would suffice for the declared use cases.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
SKILL.md declares no filesystem access. No filesystem operations detected. Network Pass
Declared READ (outbound)
→ Inferred READ
SKILL.md declares 'network: outbound' but the MCP server's actual outbound traffic (API calls to trading endpoints, webhook delivery for alerts, polling loops) is not enumerated. Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md: command: npx. The skill executes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}', which is shell:WRITE not declared in allowed-tools or permissions. Skill Invoke Block
Declared NONE
→ Inferred WRITE
SKILL.md: mcp: spawn. The skill spawns a full MCP server process, granting it all capabilities of that server's tools (search, inspect, screen, portfolio, trade, alerts). This effectively escalates from a declared API wrapper to arbitrary code execution. Environment Block
Declared NONE
→ Inferred READ
The skill accesses $API_KEY from the environment and passes it as an argument to the spawned npx process. This is not declared in SKILL.md permissions. Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access detected. Browser Pass
Declared NONE
→ Inferred NONE
No browser access detected. Database Pass
Declared NONE
→ Inferred NONE
No database access detected. Suspicious artifacts and egress
Medium External URL
https://docs.trade.edge/agents SKILL.md:26
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @edgedottrade/mcp | * | npm (via npx) | No | No version pinned. Pulled from npm at runtime via npx -y. Not vendored or audited. |
File composition
2 files · 48 lines
Markdown 1 files · 26 linesYAML 1 files · 22 lines
Files of concern · 1
SKILL.md Undeclared shell execution via npx spawn · API key passed to opaque external binary · No version pinning on external MCP package · Incomplete network activity disclosure · MCP spawn grants effectively unbounded capability escalation · https://docs.trade.edge/agents
Other files · skill.yaml
Security positives
The skill is for a legitimate, documented use case (crypto trading data) with no evidence of reverse shell, C2, or direct data theft code.
SKILL.md documents tool capabilities clearly for the visible surface (search, inspect, screen, portfolio, trade, alerts).
The MCP server is named and points to a declared GitHub repository, providing a traceable source.
API key is marked as secret:true in the config schema.
No base64-encoded payloads, eval chains, or direct IP network requests found in the skill definition itself.