Investment Portfolio

Security checks across malware telemetry and agentic risk

Overview

This is a local portfolio tracker that stores user-entered investment records on disk and does not show network access, credential use, hidden automation, or unrelated behavior.

Install only if you are comfortable storing portfolio holdings and transaction history in local plain-text files. Check the actual data directory before entering sensitive financial information, especially because the documentation and script disagree on the default path.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation indicates it reads environment configuration and writes local files, but it declares no permissions. This creates a transparency and consent problem: an agent or user may invoke the skill expecting a read-only analysis tool while it actually persists data and can write transaction history or exports to disk.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill describes local storage and export features but does not clearly warn that normal commands modify holdings data and append to transaction logs on disk. This can lead to unintended persistence of sensitive financial information and surprise state changes, especially in agent-driven workflows where users may assume commands are ephemeral.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal