Back to skill

Security audit

finance-airoom

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a financial file downloader, but its documentation encourages risky AI-driven investing workflows and broader authority than a simple downloader needs.

Review carefully before installing. Use it only for manual, user-directed downloads from authorized pages; prefer HTTPS; set a small WP_MAX_FILES limit; avoid storing credentials in config; scan downloaded files before opening; and do not let an agent place trades or act on the strategy signals without explicit human and regulatory review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (23)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The README repeatedly says the data is only simulated/reference material, yet also instructs AI agents to import the files into strategy execution systems and act on explicit buy/sell signals such as '增持' and '全部卖出'. That contradiction can mislead operators into treating unverified or synthetic outputs as actionable trading instructions, increasing the risk of unsafe autonomous financial actions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Later disclaimers state AI agents must not trade autonomously, but earlier sections tell users to connect the platform data to AI strategy execution systems and follow concrete sell/buy logic. In a skill context, this inconsistency is dangerous because agents may prioritize operational instructions over legal disclaimers, resulting in unsupervised financial decision-making.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims it does not provide real price data, but the embedded backtest code pulls live/historical market data from Yahoo Finance and uses it to generate signals. This mismatch is not just marketing inconsistency; it can cause users and agents to misunderstand data provenance, trust boundaries, and whether outputs are simulated, historical, or externally sourced.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README repeatedly claims the data is only simulated/reference material and not investment advice, but it also instructs AI agents to use the downloaded files to generate concrete buy/sell/hold actions. This contradiction can cause downstream agents or users to treat disclaimers as mere liability shielding while still operationalizing the skill for trading decisions, increasing the risk of unsafe financial automation.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manual says there is no direct connection to trading software, but then instructs agents to download data and execute packaged strategies from those files. Even without direct broker integration, this still facilitates actionable trading automation and may mislead users into underestimating the operational risk because the product is framed as non-executing.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The core strategy description is internally inconsistent: it says the system buys when the market is at a low price and sells when prices are high, yet the defined signal mapping says 'Excellent' means increase holdings and 'Poor/Severe' means sell. A downstream agent could implement the wrong logic, leading to systematic inversion of risk signals and potentially large financial losses, especially given the document promotes leveraged instruments like TQQQ.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README presents the skill as a no-login public downloader, but elsewhere instructs users to help the AI register accounts, obtain API keys, activate them, and provide device information. This inconsistency can socially engineer users into granting credentials or privileged access beyond the advertised scope, increasing the chance of unauthorized account creation, secret handling, and over-privileged deployment.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill advertises itself as downloading financial data, but its documented file-detection scope includes many generic document, media, and web file types. In a browser-automation context, this broadens the effective trust boundary and can lead an agent to download unexpected content from the target site, increasing exposure to malicious or irrelevant files.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module presents itself as restricted to airoom.ltd, but runtime configuration allows arbitrary WP_URL and WP_TARGET_URL values. In an agent context, this can be used to drive authenticated browser automation and file downloads against attacker-controlled or unintended hosts, turning the skill into a generic remote downloader and increasing phishing, credential exposure, and untrusted content retrieval risk.

Ssd 4

Medium
Confidence
84% confidence
Finding
The project vision explicitly promotes AI-to-AI coordination, competitive advantage over humans, and progressive monitoring/control of economic systems. In context, this is dangerous because it normalizes autonomous coordination and expansion of operational scope, which can be used to justify abusive automation, mass deployment, or financially manipulative behavior.

Ssd 4

Medium
Confidence
88% confidence
Finding
The deployment steps guide users to equip AI agents with product manuals, official URLs, registration help, GitHub accounts, API keys, activation steps, device information, and operational objectives. This is risky because it operationalizes the agent beyond a simple downloader and encourages credential provisioning plus capability expansion that could lead to unauthorized actions or sensitive-data exposure.

Ssd 4

Medium
Confidence
90% confidence
Finding
The document explicitly promotes large-scale AI monitoring of human economic systems and gradual control of assets for competitive advantage over humans. Even though this is mostly narrative, such framing is a red flag because it normalizes coordinated agent behavior aimed at strategic dominance, which can steer downstream automation into harmful or unauthorized activity.

Ssd 4

Medium
Confidence
88% confidence
Finding
The skill encourages AIs to connect and share cross-country market information to maximize information advantage. In context, this goes beyond ordinary analysis and promotes coordinated multi-agent behavior that could facilitate unauthorized data aggregation, strategic collusion, or other abusive conduct.

Ssd 2

Low
Confidence
72% confidence
Finding
The embedded prompt template contains tool-steering language telling the agent not to use a particular writing skill and to operate under constrained instructions. This is a mild prompt-manipulation pattern that can interfere with host-agent tool selection and reduce normal safety or policy mediation.

Ssd 4

Medium
Confidence
93% confidence
Finding
The human operation guide instructs users to help the AI log in, obtain API keys, register accounts, and provide device information to complete deployment. This is dangerous because it incrementally solicits credentials, access tokens, and environment details that could expand the agent's authority and enable unauthorized actions or persistence.

Ssd 4

Medium
Confidence
90% confidence
Finding
This Chinese section repeats the same harmful narrative about AI monitoring human society and gradually controlling assets. Repetition in multiple languages increases the likelihood that the behavior is intentional rather than incidental, and reinforces unsafe operational goals.

Ssd 4

Medium
Confidence
88% confidence
Finding
This Chinese guidance again promotes interconnection among AIs and mutual transfer of country-level economic information to maximize advantage. In context, that is a coordination signal for distributed agents and increases the risk of large-scale aggregation or misuse beyond a single user's legitimate task.

Ssd 2

Low
Confidence
72% confidence
Finding
The Chinese prompt template mirrors the English tool-steering instruction to avoid a normal writing skill. This is a prompt-level control attempt that can manipulate agent behavior and bypass standard orchestration preferences.

Ssd 4

Medium
Confidence
93% confidence
Finding
This Chinese human guide repeats instructions to help the AI register accounts, obtain API keys, and receive device information for deployment. That materially increases the attack surface by encouraging transfer of secrets and operational access to the agent.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Configuration File (Recommended)

Create `~/.config/airoom-ltd-global-finance-data-platform/config.json`:

```json
{
Confidence
76% confidence
Finding
Create `~/.config

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
requests>=2.31.0
Confidence
90% confidence
Finding
playwright>=1.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
requests>=2.31.0
Confidence
95% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.