my_stock_tradeagents_rebuild_skill

Security checks across malware telemetry and agentic risk

Overview

This rebuild helper is mostly disclosed, but it can automatically stage, commit, and push all repository changes without a review step.

Install only if you intentionally want an agent to rebuild ~/TradingAgents and possibly publish repository changes. Before use, require the agent to show git status and git diff, verify the remote and branch, check for secrets or unrelated files, and approve any commit or push explicitly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs destructive local actions (`rm -rf venv`) and repository-altering remote actions (`git add .`, `git commit`, `git push`) without requiring confirmation, preview, scope checks, or any warning about data loss and unintended publication. In an agent setting, this is dangerous because a user request to rebuild an environment could trigger irreversible changes, commit unrelated files, and push sensitive or accidental modifications to a remote repository.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal