Vwap

Security checks across malware telemetry and agentic risk

Overview

This skill does not appear to harm your device, but its VWAP finance reference content is mostly generic and could mislead users.

Install only if you treat it as a rough placeholder, not a trustworthy VWAP reference. Do not rely on its formulas, compliance notes, or checklists for trading, financial analysis, or operational decisions without independent verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script presents itself as a VWAP reference tool, but nearly all emitted content is generic finance boilerplate and does not provide VWAP-specific information. This is dangerous because users or downstream agents may rely on mislabeled output for trading, compliance, or operational decisions, creating integrity and trust risks even though there is no direct code-execution payload.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The inline description and help text advertise VWAP-specific behavior, but the command outputs do not substantively reflect VWAP. In a finance context, this mismatch can mislead users into assuming domain-specific correctness, which may propagate bad guidance into analysis or decision support workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal