Heikinashi

Security checks across malware telemetry and agentic risk

Overview

This is a simple local text-reference skill with no sensitive access, but its Heikin-Ashi content is mostly generic finance boilerplate and should not be relied on for decisions.

Install only if you want a lightweight local text helper and treat its output as generic educational boilerplate. Do not rely on it for Heikin-Ashi formulas, trading decisions, regulatory compliance, or financial advice without checking authoritative sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill is presented as a focused Heikin Ashi reference tool, but its documented commands and scope expand into broad finance topics like regulations, risks, instruments, and strategies. This can cause over-broad invocation and mislead an agent or user into treating generic financial guidance as authoritative Heikin Ashi-specific reference material, increasing the chance of inappropriate use or unsafe decision support.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill advertises a Heikin-Ashi finance reference tool, but the script emits generic finance, compliance, and operations boilerplate that is unrelated to Heikin-Ashi candlestick methodology. In an agent setting, this creates a semantic integrity failure: users or downstream agents may trust the tool's name and metadata and consume incorrect domain guidance, leading to bad financial analysis or unsafe automated decisions.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The inline documentation explicitly claims this is a Heikinashi reference tool, yet the actual command outputs are generic and largely unrelated to the topic. This mismatch is dangerous because it can mislead operators, LLM agents, or automated workflows into treating the skill as authoritative for Heikin-Ashi analysis when it is not, increasing the chance of erroneous financial recommendations or decisions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'When to Use' section uses broad activation criteria such as troubleshooting issues, best practices, and checklist guidance, which are not tightly scoped to Heikin Ashi. Overly generic triggering conditions can cause the agent to select this skill in unrelated finance contexts, leading to irrelevant, low-quality, or misleading guidance being surfaced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal