中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 52/100
上次扫描:2 天前 重新扫描
52 /100
edge
On-chain trading data and order management via MCP server. Search tokens, inspect pairs, screen for gems, analyze wallets, place limit orders, subscribe to price alerts.
The skill spawns an external MCP server via npx with an API key, creating opaque code execution that is not inspectable, with undeclared shell execution and indirect credential exposure.
技能名称edge
分析耗时58.1s
引擎pi
谨慎使用
Replace the MCP spawn approach with a direct, auditable HTTP-based integration. If MCP is required, use a locally vendored, pinned binary rather than npx pull from npm. Pass the API key only to specific API calls, not as a startup argument to a spawned server.

攻击链 4 步

入口 User installs and configures the 'edge' skill, providing their Edge Trade API key
SKILL.md:33
提权 Skill spawns an external MCP server via 'npx -y @edgedottrade/mcp' with the API key as a startup argument, executing arbitrary code from npm
SKILL.md:28
提权 The opaque MCP server receives the full API key and gains access to trade, portfolio, and alert capabilities without isolation
SKILL.md:35
影响 MCP server can make arbitrary API calls on behalf of the user (trading, withdrawals) or exfiltrate the API key via its network access
SKILL.md:29

安全发现 5 项

严重性 安全发现 位置
高危
Undeclared shell execution via npx spawn
The skill invokes 'npx -y @edgedottrade/mcp --api-key ${API_KEY}' which downloads and executes an external npm package. This is shell:WRITE execution and constitutes remote code execution from an external source. The SKILL.md only mentions 'mcp: spawn' without disclosing that npx is used, making the execution vector invisible to users reviewing only the documented behavior.
command: npx
args: ["-y", "@edgedottrade/mcp", "--api-key", "${API_KEY}"]
→ Replace npx spawn with a locally vendored, pinned binary or a direct HTTPS API client. If MCP spawning is truly required, use a pre-approved, audited binary rather than pulling from npm at runtime.
 SKILL.md:28
高危
API key passed to opaque external binary
The Edge Trade API key is passed as a command-line argument to the spawned MCP server at startup. This means the credential is exposed to an external, uninspectable binary from the moment the skill initializes. The MCP server could use this key for any API operation including trading, withdrawal, or data exfiltration. SKILL.md describes it as 'Edge Trade API key (sk-...)' but does not warn about the attack surface of passing it to an external process.
key: API_KEY
description: Edge Trade API key (sk-...)
required: true
secret: true
→ Pass the API key only to specific, audited API calls rather than as a startup argument. Consider a design where the skill makes the API calls directly and the MCP server only provides tooling logic, never receiving the credential.
 SKILL.md:35
中危
No version pinning on external MCP package
The npx invocation uses '@edgedottrade/mcp' without any version specifier. This means any version—potentially a malicious one published after account compromise—is accepted. The '-y' flag bypasses confirmation prompts.
args: ["-y", "@edgedottrade/mcp", "--api-key", "${API_KEY}"]
→ Pin the package to a specific version (e.g., '@edgedottrade/[email protected]') and verify the integrity hash. Prefer vendoring the binary directly rather than relying on npx resolution.
 SKILL.md:29
中危
Incomplete network activity disclosure
SKILL.md declares 'network: outbound' but the MCP server's actual network behavior includes: (1) querying the Edge Trade API for token/pair data, (2) webhook delivery for alerts, (3) polling loops for price subscriptions. These are not enumerated, making the full network footprint opaque.
permissions:
  - network: outbound
→ Document all expected network destinations and protocols (e.g., api.trade.edge for REST, webhook endpoints for alerts) rather than a generic 'outbound' declaration.
 SKILL.md:15
中危
MCP spawn grants effectively unbounded capability escalation
The 'mcp: spawn' permission combined with spawning a full trading platform MCP server (with trade, portfolio, alerts capabilities) creates a significant capability escalation. The spawned process can access all tools declared in its schema. SKILL.md does not enumerate what the MCP server can do, leaving users unable to audit the actual attack surface.
trade — limit orders, entry/exit strategies, price impact
alerts — subscribe/poll/unsubscribe; webhook delivery supported
→ Document the full MCP tool schema and clarify that spawning gives the MCP server independent agency. Consider whether a direct API client (without MCP) would suffice for the declared use cases.
 SKILL.md:11
资源类型声明权限推断权限状态证据
文件系统 NONE NONE SKILL.md declares no filesystem access. No filesystem operations detected.
网络访问 READ (outbound) READ ✓ 一致 SKILL.md declares 'network: outbound' but the MCP server's actual outbound traff…
命令执行 NONE WRITE ✗ 越权 SKILL.md: command: npx. The skill executes 'npx -y @edgedottrade/mcp --api-key $…
技能调用 NONE WRITE ✗ 越权 SKILL.md: mcp: spawn. The skill spawns a full MCP server process, granting it al…
环境变量 NONE READ ✗ 越权 The skill accesses $API_KEY from the environment and passes it as an argument to…
剪贴板 NONE NONE No clipboard access detected.
浏览器 NONE NONE No browser access detected.
数据库 NONE NONE No database access detected.
1 项发现
🔗
中危 外部 URL 外部 URL
https://docs.trade.edge/agents
SKILL.md:26

目录结构

2 文件 · 1.6 KB · 48 行
Markdown 1f · 26L YAML 1f · 22L
├─ 📝 SKILL.md Markdown 26L · 1.0 KB
└─ 📋 skill.yaml YAML 22L · 639 B

依赖分析 1 项

包名版本来源已知漏洞备注
@edgedottrade/mcp * npm (via npx) No version pinned. Pulled from npm at runtime via npx -y. Not vendored or audited.

安全亮点

✓ The skill is for a legitimate, documented use case (crypto trading data) with no evidence of reverse shell, C2, or direct data theft code.
✓ SKILL.md documents tool capabilities clearly for the visible surface (search, inspect, screen, portfolio, trade, alerts).
✓ The MCP server is named and points to a declared GitHub repository, providing a traceable source.
✓ API key is marked as secret:true in the config schema.
✓ No base64-encoded payloads, eval chains, or direct IP network requests found in the skill definition itself.