Einstein Research — Market Theme Detector

Security checks across malware telemetry and agentic risk

Overview

This market-research skill is mostly purpose-aligned, but its API-key handling instructions could expose user credentials.

Review before installing. Use a virtual environment, avoid running the documented echo commands for API keys, prefer temporary or revocable provider keys, and only use the web-search and market-data features when sending market themes and ticker queries to third-party services is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill declares no permissions, yet its documented workflow clearly accesses environment variables, performs network requests, and writes report files. This creates a transparency and governance gap: operators may authorize or invoke the skill without realizing it can read credentials, contact external services, and persist data locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior materially exceeds the narrow description by pulling data from multiple third-party sources, dynamically discovering themes, exposing a CLI workflow, and writing structured outputs to disk. This mismatch is dangerous because reviewers and users may underestimate the operational footprint, data flows, and supply-chain exposure, leading to execution in environments where such behaviors are not acceptable.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill instructs package installation and local script execution, which introduces code execution and dependency risk beyond a simple analytical description. If run in a sensitive environment, this can expand the attack surface through unpinned dependencies, transitive packages, or unsafe execution of repository scripts.

Description-Behavior Mismatch

Low

Confidence: 83% confidence
Finding: Writing timestamped JSON and Markdown reports to disk is a real side effect that is not surfaced in the manifest description. Undisclosed file output can lead to accidental data retention, leakage through shared workspaces, or confusion about what artifacts are created and where they persist.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that the skill performs web-search-based narrative confirmation and can use a FINVIZ Elite API key, but it does not warn users that market queries or derived prompts may be sent to third-party services or explain how the credential is handled. In an agent skill context, undisclosed outbound requests and secret usage increase the risk of data leakage, accidental transmission of sensitive user context, and unsafe credential practices.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal