joinquant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent JoinQuant reference skill for market data and strategy examples, with no hidden execution, but users should handle credentials and trading snippets carefully.

Install only if you intend to use JoinQuant. Do not paste real JoinQuant passwords into prompts or source files, and do not run order-related snippets unless you have verified the account mode and are intentionally trading or simulating trades.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quick reference demonstrates direct username/password authentication in code without any guidance on secure secret handling, such as environment variables, secret stores, or avoiding hardcoding credentials. In a developer-facing skill, this can normalize unsafe credential practices and lead users to embed trading-platform credentials in source files, notebooks, logs, or shared repos.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes live order-placement examples (`order`, `order_target_value`, `order_target_percent`) without a warning that these APIs can trigger real or simulated trading actions depending on environment. In a quant trading skill, that omission increases the chance of accidental impactful actions by users copying examples into live or paper-trading contexts without safeguards.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to export and pass account credentials directly for API authentication, but it does not warn that these secrets are sensitive or advise safe storage practices. In an agent or automation context, this increases the risk of users hardcoding credentials, exposing them in shell history, logs, screenshots, shared notebooks, or version control.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README presents strategy backtesting and simulated trading actions such as order_target_value without any caution that these operations can influence simulated/live account state depending on execution context. In a trading skill, users may copy examples into connected environments and unintentionally place orders, rebalance positions, or assume the code is risk-free demonstration code.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a username/password authentication example using inline literals without warning against hardcoding or exposing credentials. In practice, users or downstream agents may copy this pattern into scripts, notebooks, logs, or prompts, leading to credential leakage and unauthorized access to the JoinQuant account and associated data quota.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation demonstrates order placement, liquidation, and position-targeting functions without an explicit warning that these actions can affect live or simulated brokerage state and may cause financial loss if misused. In an agent context, examples that normalize direct trading commands can be dangerously copied into automation without confirmation gates, environment checks, or account-scope safeguards.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal