安全决策报告
edge
The skill spawns an external MCP server via npx with an API key, creating opaque code execution that is not inspectable, with undeclared shell execution and indirect credential exposure.
最直接的威胁证据
01
User installs and configures the 'edge' skill, providing their Edge Trade API key 初始入口 · SKILL.md
02
Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm 权限提升 · SKILL.md
03
The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation 权限提升 · SKILL.md
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
攻击链
01
User installs and configures the 'edge' skill, providing their Edge Trade API key
初始入口 · SKILL.md:33
02
Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm
权限提升 · SKILL.md:28
03
The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation
权限提升 · SKILL.md:35
04
MCP server can make arbitrary API calls on behalf of the user (trading, withdrawals) or exfiltrate the API key via its network access
最终危害 · SKILL.md:29
风险分是怎么被拉高的
Undeclared shell execution (npx) +20
SKILL.md declares mcp:spawn but does not disclose that npx is invoked, which is shell:WRITE execution. Users see only 'MCP server' and may not realize arbitrary code is downloaded and run.
Opaque external binary with credential access +18
The entire capability surface depends on the @edgedottrade/mcp npm package, which is a black box. The API key is passed as a startup argument, meaning the binary has access to it from initialization with no isolation.
Undeclared outbound network activity +10
SKILL.md declares 'network: outbound' only, but the MCP server likely makes multiple outbound requests beyond what is documented. The actual network footprint is invisible.
No dependency pinning +4
The npx command has no version pinning; any version of @edgedottrade/mcp is accepted, enabling supply chain attacks.
最关键的证据
高危
Undeclared shell execution via npx spawn
The skill invokes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}' which downloads and executes an external npm package. This is shell:WRITE execution and constitutes remote code execution from an external source. The SKILL.md only mentions 'mcp: spawn' without disclosing that npx is used, making the execution vector invisible to users reviewing only the documented behavior.
SKILL.md:28 Replace npx spawn with a locally vendored, pinned binary or a direct HTTPS API client. If MCP spawning is truly required, use a pre-approved, audited binary rather than pulling from npm at runtime.
高危
API key passed to opaque external binary
The Edge Trade API key is passed as a command-line argument to the spawned MCP server at startup. This means the credential is exposed to an external, uninspectable binary from the moment the skill initializes. The MCP server could use this key for any API operation including trading, withdrawal, or data exfiltration. SKILL.md describes it as 'Edge Trade API key (sk-...)' but does not warn about the attack surface of passing it to an external process.
SKILL.md:35 Pass the API key only to specific, audited API calls rather than as a startup argument. Consider a design where the skill makes the API calls directly and the MCP server only provides tooling logic, never receiving the credential.
中危
No version pinning on external MCP package
The npx invocation uses '@edgedottrade/mcp' without any version specifier. This means any version—potentially a malicious one published after account compromise—is accepted. The '-y' flag bypasses confirmation prompts.
SKILL.md:29 Pin the package to a specific version (e.g., '@edgedottrade/[email protected]') and verify the integrity hash. Prefer vendoring the binary directly rather than relying on npx resolution.
中危
Incomplete network activity disclosure
SKILL.md declares 'network: outbound' but the MCP server's actual network behavior includes: (1) querying the Edge Trade API for token/pair data, (2) webhook delivery for alerts, (3) polling loops for price subscriptions. These are not enumerated, making the full network footprint opaque.
SKILL.md:15 Document all expected network destinations and protocols (e.g., api.trade.edge for REST, webhook endpoints for alerts) rather than a generic 'outbound' declaration.
中危
MCP spawn grants effectively unbounded capability escalation
The 'mcp: spawn' permission combined with spawning a full trading platform MCP server (with trade, portfolio, alerts capabilities) creates a significant capability escalation. The spawned process can access all tools declared in its schema. SKILL.md does not enumerate what the MCP server can do, leaving users unable to audit the actual attack surface.
SKILL.md:11 Document the full MCP tool schema and clarify that spawning gives the MCP server independent agency. Consider whether a direct API client (without MCP) would suffice for the declared use cases.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
SKILL.md declares no filesystem access. No filesystem operations detected. 网络访问 通过
声明 READ (outbound)
→ 推断 READ
SKILL.md declares 'network: outbound' but the MCP server's actual outbound traffic (API calls to trading endpoints, webhook delivery for alerts, polling loops) is not enumerated. 命令执行 阻止
声明 NONE
→ 推断 WRITE
SKILL.md: command: npx. The skill executes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}', which is shell:WRITE not declared in allowed-tools or permissions. 技能调用 阻止
声明 NONE
→ 推断 WRITE
SKILL.md: mcp: spawn. The skill spawns a full MCP server process, granting it all capabilities of that server's tools (search, inspect, screen, portfolio, trade, alerts). This effectively escalates from a declared API wrapper to arbitrary code execution. 环境变量 阻止
声明 NONE
→ 推断 READ
The skill accesses $API_KEY from the environment and passes it as an argument to the spawned npx process. This is not declared in SKILL.md permissions. 剪贴板 通过
声明 NONE
→ 推断 NONE
No clipboard access detected. 浏览器 通过
声明 NONE
→ 推断 NONE
No browser access detected. 数据库 通过
声明 NONE
→ 推断 NONE
No database access detected. 可疑产物与外联
中危 外部 URL
https://docs.trade.edge/agents SKILL.md:26
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @edgedottrade/mcp | * | npm (via npx) | 否 | No version pinned. Pulled from npm at runtime via npx -y. Not vendored or audited. |
文件构成
2 个文件 · 48 行
Markdown 1 个文件 · 26 行YAML 1 个文件 · 22 行
需关注文件 · 1
SKILL.md Undeclared shell execution via npx spawn · API key passed to opaque external binary · No version pinning on external MCP package · Incomplete network activity disclosure · MCP spawn grants effectively unbounded capability escalation · https://docs.trade.edge/agents
其他文件 · skill.yaml
安全亮点
The skill is for a legitimate, documented use case (crypto trading data) with no evidence of reverse shell, C2, or direct data theft code.
SKILL.md documents tool capabilities clearly for the visible surface (search, inspect, screen, portfolio, trade, alerts).
The MCP server is named and points to a declared GitHub repository, providing a traceable source.
API key is marked as secret:true in the config schema.
No base64-encoded payloads, eval chains, or direct IP network requests found in the skill definition itself.