Unified Asset Advisor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed financial research/reporting workflow, with some caution needed around broad activation phrases and an unpinned Excel dependency install.

Install only if you want an agent to produce investment-style research using public market data and external financial-data tools. Treat outputs as research, not personalized financial advice, and avoid allowing runtime package installation unless you trust the Python package source or already have openpyxl installed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Instructing the agent to run `pip install openpyxl` introduces an unnecessary code-execution and environment-modification path for a reporting skill. Dynamic package installation can pull unpinned third-party code from external registries, weaken reproducibility, and expand supply-chain risk if an attacker can influence package sources or dependency resolution.

Vague Triggers

High

Confidence: 93% confidence
Finding: The trigger phrases are broad enough to match ordinary financial discussion, which can cause unintended activation of a high-impact skill that generates investment guidance and invokes multiple data/tool workflows. Unintended invocation increases the chance of surprise tool use, unnecessary data access, and users receiving quasi-advisory outputs without explicit consent.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal