Security audit

Einstein Research — Market Breadth Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market-analysis skill that fetches public market breadth CSV data and writes local reports, with no evidence of hidden or destructive behavior.

Install in a trusted Python environment, use the default TraderMonty URLs unless you trust another CSV source, and choose an output directory where generated reports and the history file are acceptable. Treat the analysis as informational market context, not investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill metadata declares no tools or permissions, yet the documented workflow explicitly runs a Python script that downloads external data and writes JSON/Markdown reports locally. This mismatch can bypass user expectations and security controls that rely on declared capabilities, increasing the risk of unintended network access and filesystem modification.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructions describe downloading data from a public GitHub repository and generating local output files, but the skill description does not warn users about these side effects. While this is primarily a transparency and consent issue rather than direct code execution risk, it can still mislead users into triggering network and file operations they did not anticipate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal