FirstKnow — Portfolio Intelligence

Security checks across malware telemetry and agentic risk

Overview

FirstKnow appears purpose-built for portfolio alerts, but it needs review because it sends portfolio data and Telegram credentials to a third-party backend and stores secrets locally in plaintext.

Install only if you are comfortable sharing your portfolio composition and a dedicated Telegram bot token with the FirstKnow backend. Use a separate bot token for this service, avoid storing a high-value Anthropic key unless you need deep analysis, and revoke tokens plus remove ~/.firstknow if you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill uses network access and local environment/storage capabilities but does not declare them up front. That creates a consent and transparency gap: users may invoke a seemingly simple portfolio-monitoring skill without realizing it will read/write local files and communicate with external services. In this context, the hidden capabilities matter because the skill handles credentials, portfolio holdings, and messaging setup.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose suggests monitoring and news checks, but the instructions also register users with a backend, upload credentials and portfolio data, persist local state, and manage settings. That mismatch undermines informed consent and can trick users into authorizing broader data collection and account linkage than expected. Because the skill processes sensitive financial preferences and Telegram secrets, the mismatch materially increases privacy and security risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill tells the agent to collect and store the user's Anthropic API key in a local .env file even though that secret is not necessary for basic portfolio-news alerting. Requesting an unrelated API key expands the attack surface and creates risk of credential theft, reuse, or accidental disclosure through logs, backups, or later commands. In a skill already performing network sync and local persistence, collecting extra secrets is especially dangerous.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README states that the user's portfolio is stored on a backend and that server-side processing/transmission occurs, but this disclosure appears later in the document rather than as an upfront warning before the user is encouraged to install and begin setup. For a finance-focused skill handling sensitive holdings and messaging integration, delayed disclosure can undermine informed consent and increase privacy risk if users proceed without understanding what data leaves their local environment.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger guidance is broad enough that the skill may activate for general portfolio or news-related queries, not just explicit requests to use this tool. Overbroad invocation can cause users to be funneled into credential collection, local persistence, and backend registration unexpectedly. The risk is elevated here because activation can lead to sensitive data handling rather than a harmless read-only action.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description does not prominently warn that it will transmit portfolio holdings, alert preferences, timezone data, Telegram chat ID, and bot credentials to an external backend. Users therefore lack meaningful notice before sharing sensitive financial and messaging information. Given the persistent monitoring and account-linking behavior, the omission substantially increases privacy and credential-handling risk.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The instructions direct the agent to store secrets such as the Anthropic API key and Telegram bot token locally in plaintext without a clear user warning. Plaintext secret storage in the home directory increases exposure to local compromise, accidental leakage, backups, and cross-tool access. Because these credentials can enable message delivery and potentially paid API usage, compromise could have both privacy and financial consequences.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The backend registration step sends the user's portfolio, language, and Telegram credentials to an external service without a clear warning at the point of transmission. This deprives the user of informed consent for sharing highly sensitive personal and authentication data. The danger is amplified because the backend then gains persistent ability to push alerts and maintain ongoing user profiles.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The sample alert presents both English and Chinese output by default without any indication that the user's preferred language was requested or that multilingual output was opt-in. In a portfolio-alerting skill, this can cause confusing or inaccessible notifications, increase prompt/output injection surface through duplicated content, and create privacy/usability issues if alerts are sent to a channel shared with others who may infer user demographics or settings.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal