Back to skill

Security audit

Investment Research Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a coherent investment-research skill, but it defaults to publishing and sharing a dashboard without clear user approval or privacy controls.

Review before installing. Use it only if you are comfortable with finance-analysis outputs and instruct the agent to create a local draft first. Require explicit approval before any deployment or link sharing, and avoid including private portfolio details or proprietary research unless you control where the dashboard will be published.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are very broad and include common terms such as 'stock analysis', 'company research', and Chinese equivalents, which can cause the skill to activate in situations beyond the user's intent. In a finance-oriented skill, unintended invocation is risky because it may steer users into generating investment recommendations or handling sensitive portfolio-related requests without an explicit request for this specific workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to deploy an interactive dashboard and share a link, but it provides no warning, consent step, or guidance about what data may be published. This is dangerous because research outputs may contain sensitive user context, proprietary analysis, or portfolio information that could be exposed through deployment or link sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.