Finml Toolkit

Security checks across malware telemetry and agentic risk

Overview

This looks like a local financial-ML logging tool, but it is advertised as a curated resource list while storing and exporting user-entered text in plaintext.

Review this as a local plaintext logging utility, not as a curated financial-ML resource list. Install only if you want command inputs saved under ~/.local/share/finml-toolkit and potentially duplicated through exports. Do not enter API keys, credentials, account data, proprietary strategies, or sensitive portfolio details unless you are comfortable storing them locally and managing deletion yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill metadata advertises a curated financial ML resource list, but the content actually defines a general-purpose local logging and export tool that persistently stores user inputs. This mismatch is dangerous because users and host systems may grant trust or invoke the skill under false assumptions, while sensitive operational or financial data is silently retained and made searchable/exportable.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements behavior materially different from the manifest description, introducing local data collection, history tracking, and export capabilities that are not implied by a curated-list skill. Such deceptive or misleading packaging increases the chance that users expose sensitive workflow details, credentials, trading notes, or proprietary data to persistent storage unintentionally.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script's behavior is materially inconsistent with the declared financial machine learning purpose: it implements a generic local note/logging utility with broad commands and persistent history storage. This kind of capability mismatch is dangerous because it can normalize unnecessary collection of arbitrary user input, increasing privacy risk and making it easier to hide data-harvesting behavior inside an unrelated skill.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script creates a persistent directory in the user's home folder and stores activity/history data there even though that storage is not justified by the advertised skill purpose. Persistently saving arbitrary user inputs can expose sensitive trading ideas, API-related notes, credentials mistakenly pasted by users, or other confidential data to local compromise, backups, or later unintended disclosure.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Broad, generic triggers such as run, analyze, generate, export, help, and status are likely to collide with ordinary agent workflows and may activate outside the intended context. In a skill that persistently logs inputs, accidental invocation can cause unrelated or sensitive prompts and task data to be written to disk and later searched or exported.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that all actions are logged to local files, but it does not clearly warn that user-provided financial operation inputs may contain sensitive data and will be stored persistently. This creates a privacy and data-handling risk because users may submit proprietary trading strategies, portfolio details, or internal analysis assuming the interaction is ephemeral.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This command path writes all user-provided input directly into log files and appends activity to a history log without warning, confirmation, or redaction. That is dangerous because users may provide sensitive information in command arguments, and the script silently retains it in plaintext for later exposure through other commands or system access.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The export routine aggregates historical log contents into new persistent files in JSON, CSV, or TXT formats, duplicating previously collected data without any safety checks or warning. This increases the blast radius of sensitive information by creating additional plaintext copies that are easier to share, exfiltrate, or accidentally expose.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The script not only stores user inputs but also exposes them through convenience features like search, recent activity, status, and export, making retained data broadly accessible within the tool's normal flows. In the context of a supposedly financial ML skill, this is more dangerous because users may enter market hypotheses, dataset paths, tokens, or other sensitive operational details that are then trivially retrievable in plaintext.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal