Back to skill

Security audit

my_stock_decide_execute_skill

Security checks across malware telemetry and agentic risk

Overview

This skill is openly designed to place real stock trades, but it does not require a hard final confirmation with exact order details before live execution.

Install only if you intentionally want an agent to help place live brokerage orders. Before using it, review the referenced decision, Longbridge trading, and logging skills; require a final explicit confirmation for every order; set strict price and size limits; prefer paper trading or dry-run first; and confirm where trade logs are stored and who can access them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly orchestrates end-to-end real securities trading and persistent log writes, but it does not present a clear user-facing safety warning, risk acknowledgment, or hard confirmation gate immediately before placing live orders. In a financial context, this is dangerous because ambiguous user intent, prompt injection through chained skills, or misunderstanding of automation scope can lead to unauthorized or unintended real-money trades and irreversible account actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.