中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 22/100
Last scan:22 hr ago Rescan
22 /100
hft-paper-trader
High-frequency paper trading framework for crypto. Multi-indicator TA scoring, dual-regime filter, Kelly criterion position sizing, auto-observation logging, and trade ledger.
A legitimate paper trading framework with no malicious code present, but SKILL.md contains undeclared filesystem/network tool usage needed to fulfill its described autonomous-agent role, creating a doc-to-capability mismatch.
tradingpaper-tradinghftcryptokelly
Skill Namehft-paper-trader
Duration32.7s
Enginepi
Safe to install
Add explicit allowed-tools declarations (Binance API calls → network:READ, portfolio/journal writes → filesystem:WRITE) and correct the version mismatch (SKILL.md says v1.1.0, _meta.json says v1.0.0). The skill cannot actually function as described without filesystem and network permissions.

Findings 2 items

Severity Finding Location
Medium
Incomplete tool permissions — autonomous agent cannot function as described Doc Mismatch
SKILL.md describes an autonomous hourly trading agent that fetches Binance market data and writes to portfolio.json, journal.json, and observations.md, but declares zero allowed-tools. The skill as described requires network:READ for API calls and filesystem:WRITE for log/portfolio persistence, neither of which are declared.
No allowed-tools declaration in _meta.json
→ Add allowed-tools section to _meta.json: ['Bash', 'Read', 'Write', 'WebFetch'] or equivalent, mapped to filesystem:WRITE and network:READ.
 SKILL.md:1
Low
Version mismatch between SKILL.md and _meta.json Doc Mismatch
SKILL.md frontmatter and stop-loss code comment say v1.1.0, but _meta.json and frontmatter published-at timestamp reference v1.0.0. This is a minor inconsistency.
version: 1.1.0 (SKILL.md) vs 1.0.0 (_meta.json)
→ Align version numbers across SKILL.md, _meta.json, and all code comments.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Network NONE READ ✗ Violation SKILL.md: Binance public API calls for market data — required for described func…
Filesystem NONE WRITE ✗ Violation SKILL.md: portfolio.json, journal.json, observations.md writes — required for de…
Shell NONE NONE No shell execution detected in any file
Environment NONE NONE No environment variable access detected
Skill Invoke NONE NONE No cross-skill invocation detected

File Tree

2 files · 3.2 KB · 91 lines
Markdown 1f · 86L JSON 1f · 5L
├─ 📋 _meta.json JSON 5L · 135 B
└─ 📝 SKILL.md Markdown 86L · 3.1 KB

Security Positives

✓ No shell commands, subprocess calls, or code execution mechanisms found in any file
✓ No credential harvesting, environment variable iteration, or sensitive path access (~/.ssh, ~/.aws, .env)
✓ No obfuscation (no base64, no eval, no atob patterns)
✓ No supply chain risks — no dependencies, requirements.txt, or package.json present
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation code)
✓ Binance API usage is explicitly public-only (no API key requirements mentioned)
✓ Trade operations are paper-trading only with no real fund manipulation capability
✓ No hidden HTML comments, injection vectors, or jailbreak instructions