SkillRepo
Sign InSign Up
Catalog
affaan-m/llm-trading-agent-security

affaan-m

llm-trading-agent-security

Security patterns for autonomous trading agents with wallet or transaction authority. Covers prompt injection, spend limits, pre-send simulation, circuit breakers, MEV protection, and key handling.

global
New~1.1k
v1.1Saved May 11, 2026

LLM Trading Agent Security

Autonomous trading agents have a harsher threat model than normal LLM apps: an injection or bad tool path can turn directly into asset loss.

When to Use

  • Building an AI agent that signs and sends transactions
  • Auditing a trading bot or on-chain execution assistant
  • Designing wallet key management for an agent
  • Giving an LLM access to order placement, swaps, or treasury operations

How It Works

Layer the defenses. No single check is enough. Treat prompt hygiene, spend policy, simulation, execution limits, and wallet isolation as independent controls.

Examples

Treat prompt injection as a financial attack

import re

INJECTION_PATTERNS = [
    r'ignore (previous|all) instructions',
    r'new (task|directive|instruction)',
    r'system prompt',
    r'send .{0,50} to 0x[0-9a-fA-F]{40}',
    r'transfer .{0,50} to',
    r'approve .{0,50} for',
]

def sanitize_onchain_data(text: str) -> str:
    for pattern in INJECTION_PATTERNS:
        if re.search(pattern, text, re.IGNORECASE):
            raise ValueError(f"Potential prompt injection: {text[:100]}")
    return text

Do not blindly inject token names, pair labels, webhooks, or social feeds into an execution-capable prompt.

Hard spend limits

from decimal import Decimal

MAX_SINGLE_TX_USD = Decimal("500")
MAX_DAILY_SPEND_USD = Decimal("2000")

class SpendLimitError(Exception):
    pass

class SpendLimitGuard:
    def check_and_record(self, usd_amount: Decimal) -> None:
        if usd_amount > MAX_SINGLE_TX_USD:
            raise SpendLimitError(f"Single tx ${usd_amount} exceeds max ${MAX_SINGLE_TX_USD}")

        daily = self._get_24h_spend()
        if daily + usd_amount > MAX_DAILY_SPEND_USD:
            raise SpendLimitError(f"Daily limit: ${daily} + ${usd_amount} > ${MAX_DAILY_SPEND_USD}")

        self._record_spend(usd_amount)

Simulate before sending

class SlippageError(Exception):
    pass

async def safe_execute(self, tx: dict, expected_min_out: int | None = None) -> str:
    sim_result = await self.w3.eth.call(tx)

    if expected_min_out is None:
        raise ValueError("min_amount_out is required before send")

    actual_out = decode_uint256(sim_result)
    if actual_out < expected_min_out:
        raise SlippageError(f"Simulation: {actual_out} < {expected_min_out}")

    signed = self.account.sign_transaction(tx)
    return await self.w3.eth.send_raw_transaction(signed.raw_transaction)

Circuit breaker

class TradingCircuitBreaker:
    MAX_CONSECUTIVE_LOSSES = 3
    MAX_HOURLY_LOSS_PCT = 0.05

    def check(self, portfolio_value: float) -> None:
        if self.consecutive_losses >= self.MAX_CONSECUTIVE_LOSSES:
            self.halt("Too many consecutive losses")

        if self.hour_start_value <= 0:
            self.halt("Invalid hour_start_value")
            return

        hourly_pnl = (portfolio_value - self.hour_start_value) / self.hour_start_value
        if hourly_pnl < -self.MAX_HOURLY_LOSS_PCT:
            self.halt(f"Hourly PnL {hourly_pnl:.1%} below threshold")

Wallet isolation

import os
from eth_account import Account

private_key = os.environ.get("TRADING_WALLET_PRIVATE_KEY")
if not private_key:
    raise EnvironmentError("TRADING_WALLET_PRIVATE_KEY not set")

account = Account.from_key(private_key)

Use a dedicated hot wallet with only the required session funds. Never point the agent at a primary treasury wallet.

MEV and deadline protection

import time

PRIVATE_RPC = "https://rpc.flashbots.net"
MAX_SLIPPAGE_BPS = {"stable": 10, "volatile": 50}
deadline = int(time.time()) + 60

Pre-Deploy Checklist

  • External data is sanitized before entering the LLM context
  • Spend limits are enforced independently from model output
  • Transactions are simulated before send
  • min_amount_out is mandatory
  • Circuit breakers halt on drawdown or invalid state
  • Keys come from env or a secret manager, never code or logs
  • Private mempool or protected routing is used when appropriate
  • Slippage and deadlines are set per strategy
  • All agent decisions are audit-logged, not just successful sends
Files1
1 files · 1.0 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

80

Quality

82

Clarity

85

Completeness

80

Summary

This skill provides security patterns and guardrails for LLM-based autonomous trading agents that have wallet or transaction authority. It covers prompt injection defense, spend limits, transaction simulation, circuit breakers, MEV protection, and key handling—framing them as independent defensive layers to prevent asset loss from agent compromise or bad tool paths.

Detected Capabilities

prompt injection detectionspend limit enforcementtransaction simulationcircuit breaker logicenvironment variable accesstransaction signing and executionprivate RPC routingaudit logging guidance

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

trading agent securityprompt injection defensewallet authorizationtransaction safetyspend limitsMEV protectioncircuit breakerkey management

Risk Signals

INFO

Private RPC endpoint reference (rpc.flashbots.net)

MEV and deadline protection section
WARNING

Environment variable access for wallet private key

Wallet isolation section
WARNING

Example code references transaction signing and sending without explicit mention of testnets

safe_execute method

Referenced Domains

External domains referenced in skill content, detected by static analysis.

rpc.flashbots.net

Use Cases

  • Secure autonomous trading agents against prompt injection and financial attack
  • Implement spend limits and circuit breakers for LLM-controlled wallets
  • Pre-deploy security checklist for on-chain execution bots
  • Design wallet key management and hot wallet isolation for trading agents
  • Simulate transactions and enforce slippage/deadline protections in agents

Quality Notes

  • Clear threat model articulated upfront: 'injection can turn directly into asset loss'
  • Excellent defense-in-depth philosophy: 'Layer the defenses. No single check is enough.'
  • Well-structured examples covering all major attack vectors: injection, overspend, slippage, losses, key leakage
  • Pre-deploy checklist is practical and actionable—covers both detection and enforcement
  • Code examples are production-ready with proper exception handling
  • Lacks explicit guidance on testing in testnets before mainnet deployment
  • No discussion of rate limiting or transaction ordering risks
  • Circuit breaker examples good but missing guidance on recovery/alert mechanisms
  • Spend limit enforcement clear but no guidance on implementing durable state (e.g., database) vs in-memory tracking
Model: claude-haiku-4-5-20251001Analyzed: May 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest
v1.0

No changelog

2026-04-12

Add affaan-m/llm-trading-agent-security to your library

Get Started Free

Command Palette

Search for a command to run...