Llm Trading Agent Security
Layer financial-grade controls when an LLM agent can sign transactions, place orders, or touch treasury wallets so injection and tool misuse cannot drain funds.
Overview
LLM Trading Agent Security is an agent skill most often used in Ship (also Build) that defines layered defenses for LLM agents with wallet or transaction authority.
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill llm-trading-agent-securityWhat is this skill?
- Treats on-chain and trading prompts as adversarial input with regex-style injection pattern checks before tool use
- Layers independent controls: prompt hygiene, spend policy, pre-send simulation, circuit breakers, and wallet isolation
- Covers MEV-aware execution thinking and safe handling of signing keys for agent-driven swaps and treasury ops
- Includes Python-oriented sanitize-onchain-data example for blocking transfer/approve injection phrases
- Explicit threat model: bad tool paths become immediate asset loss, stricter than typical LLM apps
- 6+ injection-oriented regex patterns in the sanitize example
- 5 control layers named: prompt hygiene, spend policy, simulation, execution limits, wallet isolation
Adoption & trust: 3k installs on skills.sh; 210k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your trading or on-chain agent can move real funds, so a single prompt injection or bad tool call can cause immediate asset loss.
Who is it for?
Indie builders wiring LLM tool use to swaps, orders, or treasury flows who need a concrete security checklist beyond generic LLM safety.
Skip if: Read-only market analytics with no signing authority, or teams that only need traditional web app OWASP review without wallets.
When should I use this skill?
Building or auditing an AI agent that signs and sends transactions, manages wallets, or places orders/swaps/treasury operations with LLM access.
What do I get? / Deliverables
You implement stacked controls—injection filtering, spend limits, simulation, circuit breakers, MEV awareness, and key isolation—before the agent is allowed to sign or send.
- Layered security control checklist for the agent
- Injection sanitization patterns for on-chain text
- Spend and circuit-breaker policy outline
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship because the skill is about hardening autonomous execution before real money moves in production-like flows. It maps directly to security review patterns—prompt injection as financial attack, spend caps, simulation, circuit breakers, and key isolation—not generic app coding.
Where it fits
Design tool boundaries before connecting a swap API so the model cannot approve unlimited token spends.
Run an injection-focused review on prompts that ingest token names and pair labels from DEX UIs.
Add circuit breakers and anomaly alerts when live agent order volume spikes after a bad RSS feed ingest.
How it compares
Use alongside generic appsec skills when funds are at stake—financial agents need execution limits and wallet isolation, not prompt policies alone.
Common Questions / FAQ
Who is llm-trading-agent-security for?
Developers building or auditing autonomous trading bots and on-chain agents where the LLM can trigger signed transactions or treasury operations.
When should I use llm-trading-agent-security?
During build when designing wallet and tool boundaries, and during ship security review before mainnet or live exchange keys—any time signing authority meets model-generated actions.
Is llm-trading-agent-security safe to install?
It is guidance-only; confirm practices against your chain and custodian policies and review the Security Audits panel on this Prism page before production deployment.
SKILL.md
READMESKILL.md - Llm Trading Agent Security
# LLM Trading Agent Security Autonomous trading agents have a harsher threat model than normal LLM apps: an injection or bad tool path can turn directly into asset loss. ## When to Use - Building an AI agent that signs and sends transactions - Auditing a trading bot or on-chain execution assistant - Designing wallet key management for an agent - Giving an LLM access to order placement, swaps, or treasury operations ## How It Works Layer the defenses. No single check is enough. Treat prompt hygiene, spend policy, simulation, execution limits, and wallet isolation as independent controls. ## Examples ### Treat prompt injection as a financial attack ```python import re INJECTION_PATTERNS = [ r'ignore (previous|all) instructions', r'new (task|directive|instruction)', r'system prompt', r'send .{0,50} to 0x[0-9a-fA-F]{40}', r'transfer .{0,50} to', r'approve .{0,50} for', ] def sanitize_onchain_data(text: str) -> str: for pattern in INJECTION_PATTERNS: if re.search(pattern, text, re.IGNORECASE): raise ValueError(f"Potential prompt injection: {text[:100]}") return text ``` Do not blindly inject token names, pair labels, webhooks, or social feeds into an execution-capable prompt. ### Hard spend limits ```python from decimal import Decimal MAX_SINGLE_TX_USD = Decimal("500") MAX_DAILY_SPEND_USD = Decimal("2000") class SpendLimitError(Exception): pass class SpendLimitGuard: def check_and_record(self, usd_amount: Decimal) -> None: if usd_amount > MAX_SINGLE_TX_USD: raise SpendLimitError(f"Single tx ${usd_amount} exceeds max ${MAX_SINGLE_TX_USD}") daily = self._get_24h_spend() if daily + usd_amount > MAX_DAILY_SPEND_USD: raise SpendLimitError(f"Daily limit: ${daily} + ${usd_amount} > ${MAX_DAILY_SPEND_USD}") self._record_spend(usd_amount) ``` ### Simulate before sending ```python class SlippageError(Exception): pass async def safe_execute(self, tx: dict, expected_min_out: int | None = None) -> str: sim_result = await self.w3.eth.call(tx) if expected_min_out is None: raise ValueError("min_amount_out is required before send") actual_out = decode_uint256(sim_result) if actual_out < expected_min_out: raise SlippageError(f"Simulation: {actual_out} < {expected_min_out}") signed = self.account.sign_transaction(tx) return await self.w3.eth.send_raw_transaction(signed.raw_transaction) ``` ### Circuit breaker ```python class TradingCircuitBreaker: MAX_CONSECUTIVE_LOSSES = 3 MAX_HOURLY_LOSS_PCT = 0.05 def check(self, portfolio_value: float) -> None: if self.consecutive_losses >= self.MAX_CONSECUTIVE_LOSSES: self.halt("Too many consecutive losses") if self.hour_start_value <= 0: self.halt("Invalid hour_start_value") return hourly_pnl = (portfolio_value - self.hour_start_value) / self.hour_start_value if hourly_pnl < -self.MAX_HOURLY_LOSS_PCT: self.halt(f"Hourly PnL {hourly_pnl:.1%} below threshold") ``` ### Wallet isolation ```python import os from eth_account import Account private_key = os.environ.get("TRADING_WALLET_PRIVATE_KEY") if not private_key: raise EnvironmentError("TRADING_WALLET_PRIVATE_KEY not set") account = Account.from_key(private_key) ``` Use a dedicated hot wallet with only the required session funds. Never point the agent at a primary treasury wallet. ### MEV and deadline protection ```python import time PRIVATE_RPC = "https://rpc.flashbots.net" MAX_SLIPPAGE_BPS = {"stable": 10, "volatile": 50} deadline = int(time.time()) + 60 ``` ## Pre-Deploy C