Back to skill

Security audit

Trend Forecast

Security checks across malware telemetry and agentic risk

Overview

This is a read-only forecasting skill that sends research queries and gathered signals to AIsa APIs, with privacy considerations but no hidden persistence, posting, or destructive behavior found.

Install only if you are comfortable sending forecast topics, tickers, market questions, social/news search terms, and synthesized research data to AIsa services. Avoid using it with secrets, confidential strategy, regulated data, private watchlists, or sensitive personal information, and treat outputs as informational research rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly requires network access, reads an API key from the environment, and documents file output via `--save report.md`, yet no explicit permission model is declared. This can mislead users or orchestration systems about the skill's real capabilities, increasing the chance of unintended data transmission or local file writes without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The manifest describes a forecasting/research skill, but the documented behavior also includes LLM-mediated processing, expanded financial data access, and report saving. This mismatch matters because operators may authorize the skill based on a narrower understanding than what it actually does, weakening consent and review controls.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements a general-purpose LLM chat gateway even though the skill is described as a trend-forecasting data skill. This expands the capability surface beyond the declared purpose, creating a hidden avenue for arbitrary prompt handling and possible data exfiltration or policy bypass if higher-level components route untrusted content through it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to send user queries and later aggregated topic data to external APIs, including an LLM endpoint, without any explicit privacy warning or consent checkpoint. In context, this increases risk because users may provide proprietary research topics, business plans, or sensitive financial questions that are then forwarded to a third-party service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation shows authenticated requests that transmit user queries, ticker symbols, usernames, wallet addresses, and related research inputs to third-party services without any user-facing disclosure, consent boundary, or data-handling warning. In a research/forecasting skill, users may provide sensitive market interests or identifiers, so silent transmission creates privacy and compliance risk even if the transmission is expected for operation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user's raw query to an external LLM service during decomposition, and derived queries are then sent to multiple third-party data providers. In an autonomous-agent context, users may supply sensitive prompts, proprietary research topics, or internal plans, so forwarding them without an explicit privacy notice, minimization, or consent creates a real data-exposure risk even if it is expected product behavior.

External Transmission

Medium
Category
Data Exfiltration
Content
Use the AIsa LLM gateway to break the user's query into source-specific search terms.

```bash
curl -X POST "https://api.aisa.one/v1/chat/completions" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
curl -X POST "https://api.aisa.one/v1/chat/completions" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "gpt-4.1-mini", "messages": [

External Transmission

Medium
Category
Data Exfiltration
Content
Use the AIsa LLM gateway to break the user's query into source-specific search terms.

```bash
curl -X POST "https://api.aisa.one/v1/chat/completions" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Find Polymarket markets (params: search, status, market_slug, limit)
curl "https://api.aisa.one/apis/v1/polymarket/markets?search=<PREDICTION_MARKET_QUERY>&status=open&limit=5" \
  -H "Authorization: Bearer $AISA_API_KEY"

# 2. Price a token (token_id = side_a.id or side_b.id from step 1)
Confidence
89% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
For Kalshi, the flow is the same but keyed on `market_ticker`:

```bash
curl "https://api.aisa.one/apis/v1/kalshi/markets?search=<PREDICTION_MARKET_QUERY>&limit=5" \
  -H "Authorization: Bearer $AISA_API_KEY"

curl "https://api.aisa.one/apis/v1/kalshi/market-price/<MARKET_TICKER>" \
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
`queryType` (`Latest` or `Top`).

```bash
curl "https://api.aisa.one/apis/v1/twitter/tweet/advanced_search?query=<TWITTER_QUERY>&queryType=Latest" \
  -H "Authorization: Bearer $AISA_API_KEY"
```
Confidence
91% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
Use AIsa's Tavily relay to search recent news articles about the topic.

```bash
curl -X POST "https://api.aisa.one/apis/v1/tavily/search" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
| POST   | `/v1/chat/completions` | Standard OpenAI chat completions | ~$0.01–0.05 (model-dependent) |

```bash
curl -X POST "https://api.aisa.one/v1/chat/completions" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4.1-mini", "messages": [...], "temperature": 0.3}'
Confidence
94% confidence
Finding
curl -X POST "https://api.aisa.one/v1/chat/completions" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Client function: `search_news`.

```bash
curl -X POST "https://api.aisa.one/apis/v1/tavily/search" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "Fed rate cut", "search_depth": "advanced", "max_results": 10, "topic": "news", "days": 7}'
Confidence
91% confidence
Finding
curl -X POST "https://api.aisa.one/apis/v1/tavily/search" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Body: `{"query": "..."}`. Client function: `perplexity_search`.

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/search" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "outlook for AI chip demand 2026"}'
Confidence
91% confidence
Finding
curl -X POST "https://api.aisa.one/apis/v1/perplexity/search" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Every endpoint the skill touches, documented from the actual calls in
`scripts/aisa_client.py`.

- **REST base URL:** `https://api.aisa.one/apis/v1`
- **LLM base URL:** `https://api.aisa.one/v1` (OpenAI-compatible — note: **no** `/apis`)
- **Auth header:** `Authorization: Bearer $AISA_API_KEY` on every request
Confidence
84% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
`scripts/aisa_client.py`.

- **REST base URL:** `https://api.aisa.one/apis/v1`
- **LLM base URL:** `https://api.aisa.one/v1` (OpenAI-compatible — note: **no** `/apis`)
- **Auth header:** `Authorization: Bearer $AISA_API_KEY` on every request

---
Confidence
84% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
## LLM Gateway (query decomposition + synthesis)

OpenAI-compatible. Base URL is `https://api.aisa.one/v1`. The skill uses
`gpt-4.1-mini` for both decomposition and synthesis (override with `--model`).

| Method | Path                   | Purpose                          | Price/call |
Confidence
87% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
| POST   | `/v1/chat/completions` | Standard OpenAI chat completions | ~$0.01–0.05 (model-dependent) |

```bash
curl -X POST "https://api.aisa.one/v1/chat/completions" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4.1-mini", "messages": [...], "temperature": 0.3}'
Confidence
94% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
orchestrator pulls prices + metrics + news per ticker.

```bash
curl "https://api.aisa.one/apis/v1/financial/prices?ticker=AAPL&interval=day" \
  -H "Authorization: Bearer $AISA_API_KEY"
```
Confidence
82% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Find the market
curl "https://api.aisa.one/apis/v1/polymarket/markets?search=Fed%20rate%20cut&status=open&limit=5" \
  -H "Authorization: Bearer $AISA_API_KEY"

# 2. Price the token (token_id = side_a.id / side_b.id from step 1)
Confidence
83% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# 2. Price the token (token_id = side_a.id / side_b.id from step 1)
curl "https://api.aisa.one/apis/v1/polymarket/market-price/<TOKEN_ID>" \
  -H "Authorization: Bearer $AISA_API_KEY"
```
Confidence
80% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
treat as ~$0.01/call for budgeting.

```bash
curl "https://api.aisa.one/apis/v1/twitter/tweet/advanced_search?query=Fed%20rate%20cut&queryType=Latest" \
  -H "Authorization: Bearer $AISA_API_KEY"
```
Confidence
90% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
Client function: `search_news`.

```bash
curl -X POST "https://api.aisa.one/apis/v1/tavily/search" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "Fed rate cut", "search_depth": "advanced", "max_results": 10, "topic": "news", "days": 7}'
Confidence
91% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
Body: `{"query": "..."}`. Client function: `perplexity_search`.

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/search" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "outlook for AI chip demand 2026"}'
Confidence
91% confidence
Finding
https://api.aisa.one/

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.