中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 52/100
Last scan:2 days ago Rescan
52 /100
edge
On-chain trading data and order management via MCP server. Search tokens, inspect pairs, screen for gems, analyze wallets, place limit orders, subscribe to price alerts.
The skill spawns an external MCP server via npx with an API key, creating opaque code execution that is not inspectable, with undeclared shell execution and indirect credential exposure.
Skill Nameedge
Duration58.1s
Enginepi
Use with caution
Replace the MCP spawn approach with a direct, auditable HTTP-based integration. If MCP is required, use a locally vendored, pinned binary rather than npx pull from npm. Pass the API key only to specific API calls, not as a startup argument to a spawned server.

Attack Chain 4 steps

Entry User installs and configures the 'edge' skill, providing their Edge Trade API key
SKILL.md:33
Escalation Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm
SKILL.md:28
Escalation The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation
SKILL.md:35
Impact MCP server can make arbitrary API calls on behalf of the user (trading, withdrawals) or exfiltrate the API key via its network access
SKILL.md:29

Findings 5 items

Severity Finding Location
High
Undeclared shell execution via npx spawn
The skill invokes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}' which downloads and executes an external npm package. This is shell:WRITE execution and constitutes remote code execution from an external source. The SKILL.md only mentions 'mcp: spawn' without disclosing that npx is used, making the execution vector invisible to users reviewing only the documented behavior.
command: npx
args: ["-y", "@edgedottrade/mcp", "--api-key", "${API_KEY}"]
→ Replace npx spawn with a locally vendored, pinned binary or a direct HTTPS API client. If MCP spawning is truly required, use a pre-approved, audited binary rather than pulling from npm at runtime.
 SKILL.md:28
High
API key passed to opaque external binary
The Edge Trade API key is passed as a command-line argument to the spawned MCP server at startup. This means the credential is exposed to an external, uninspectable binary from the moment the skill initializes. The MCP server could use this key for any API operation including trading, withdrawal, or data exfiltration. SKILL.md describes it as 'Edge Trade API key (sk-...)' but does not warn about the attack surface of passing it to an external process.
key: API_KEY
description: Edge Trade API key (sk-...)
required: true
secret: true
→ Pass the API key only to specific, audited API calls rather than as a startup argument. Consider a design where the skill makes the API calls directly and the MCP server only provides tooling logic, never receiving the credential.
 SKILL.md:35
Medium
No version pinning on external MCP package
The npx invocation uses '@edgedottrade/mcp' without any version specifier. This means any version—potentially a malicious one published after account compromise—is accepted. The '-y' flag bypasses confirmation prompts.
args: ["-y", "@edgedottrade/mcp", "--api-key", "${API_KEY}"]
→ Pin the package to a specific version (e.g., '@edgedottrade/[email protected]') and verify the integrity hash. Prefer vendoring the binary directly rather than relying on npx resolution.
 SKILL.md:29
Medium
Incomplete network activity disclosure
SKILL.md declares 'network: outbound' but the MCP server's actual network behavior includes: (1) querying the Edge Trade API for token/pair data, (2) webhook delivery for alerts, (3) polling loops for price subscriptions. These are not enumerated, making the full network footprint opaque.
permissions:
  - network: outbound
→ Document all expected network destinations and protocols (e.g., api.trade.edge for REST, webhook endpoints for alerts) rather than a generic 'outbound' declaration.
 SKILL.md:15
Medium
MCP spawn grants effectively unbounded capability escalation
The 'mcp: spawn' permission combined with spawning a full trading platform MCP server (with trade, portfolio, alerts capabilities) creates a significant capability escalation. The spawned process can access all tools declared in its schema. SKILL.md does not enumerate what the MCP server can do, leaving users unable to audit the actual attack surface.
trade — limit orders, entry/exit strategies, price impact
alerts — subscribe/poll/unsubscribe; webhook delivery supported
→ Document the full MCP tool schema and clarify that spawning gives the MCP server independent agency. Consider whether a direct API client (without MCP) would suffice for the declared use cases.
 SKILL.md:11
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE SKILL.md declares no filesystem access. No filesystem operations detected.
Network READ (outbound) READ ✓ Aligned SKILL.md declares 'network: outbound' but the MCP server's actual outbound traff…
Shell NONE WRITE ✗ Violation SKILL.md: command: npx. The skill executes 'npx -y @edgedottrade/mcp --api-key $…
Skill Invoke NONE WRITE ✗ Violation SKILL.md: mcp: spawn. The skill spawns a full MCP server process, granting it al…
Environment NONE READ ✗ Violation The skill accesses $API_KEY from the environment and passes it as an argument to…
Clipboard NONE NONE No clipboard access detected.
Browser NONE NONE No browser access detected.
Database NONE NONE No database access detected.
1 findings
🔗
Medium External URL 外部 URL
https://docs.trade.edge/agents
SKILL.md:26

File Tree

2 files · 1.6 KB · 48 lines
Markdown 1f · 26L YAML 1f · 22L
├─ 📝 SKILL.md Markdown 26L · 1.0 KB
└─ 📋 skill.yaml YAML 22L · 639 B

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@edgedottrade/mcp * npm (via npx) No No version pinned. Pulled from npm at runtime via npx -y. Not vendored or audited.

Security Positives

✓ The skill is for a legitimate, documented use case (crypto trading data) with no evidence of reverse shell, C2, or direct data theft code.
✓ SKILL.md documents tool capabilities clearly for the visible surface (search, inspect, screen, portfolio, trade, alerts).
✓ The MCP server is named and points to a declared GitHub repository, providing a traceable source.
✓ API key is marked as secret:true in the config schema.
✓ No base64-encoded payloads, eval chains, or direct IP network requests found in the skill definition itself.