xtdata

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as market-data help, but it also bundles live trading and bank-transfer instructions that can affect real financial accounts.

Install only if you specifically need xtdata access through local miniQMT and can keep the agent limited to read-only market-data tasks. Do not allow unattended use of the bundled xttrader material for orders, cancellations, account queries, transaction imports, or bank/securities transfers. Never copy the sample password or account-number patterns into code; use placeholders and secure secret handling, and require explicit human approval for any real account action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is described as a market/financial data module, but it also exposes state-changing sector-management operations such as creating folders, creating sectors, adding/removing stocks, and deleting sectors. In an agent context, undocumented or weakly justified write-capable functions increase risk because a caller expecting read-only data access could inadvertently modify a user's local miniQMT watchlists or workspace state.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Custom sector/watchlist management is not inherently malicious, but it is beyond the narrow expectation set by a 'market data module' and can alter persistent local configuration. This mismatch is dangerous because autonomous agents may invoke these functions during analysis workflows and silently change or destroy user-defined sectors, causing integrity and operational issues.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The changelog states that the module supports running local VBA functions in local Python mode, which is a significant capability expansion unrelated to market-data retrieval. Local code/macro execution can enable arbitrary command execution, abuse trusted Office/VBA environments, and bypass expectations that this skill is only handling data access.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is marketed as a行情/market-data module, but this file documents a full trading interface including order placement, cancellation, account subscription, and transactional workflows. That mismatch materially increases the chance that an agent or user grants the skill broader privileges than intended and triggers real trading actions in a context that appears read-only.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: Including bank/securities transfer operations inside a purported market-data skill introduces direct money-movement capability that is far more sensitive than quote retrieval. If an agent integrates this under the assumption it is read-only, an attacker or prompt injection elsewhere could invoke irreversible transfers and cause immediate financial loss.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Direct fund transfer and cross-account internal transfer APIs are privileged state-changing capabilities unrelated to a market-data-only description. Their presence widens the attack surface from observation to fund movement, enabling abuse if the skill is auto-wired into trading or account contexts.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: External transaction import and export/query file operations exceed a narrow market-data purpose and create additional integrity and data-handling risks. Import functions can alter system records, while export/query functions can write sensitive financial data to disk where it may be exposed or mishandled.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation explains that callers can directly set or override the local data path used to read MiniQmt userdata, including a global variable that can force reads from another local location. In a skill expected to provide market data, exposing filesystem path redirection without strong safety guidance increases the risk of unintended local file access, privacy leakage, and misuse of trusted local data stores.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The examples demonstrate live order placement, cancellation, and fund-transfer actions without any sandbox-only guidance, safety warnings, or confirmation patterns. In an agent setting, runnable examples are often copied directly, so omission of safeguards can lead to accidental real trades or transfers with immediate financial consequences.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Examples include credential-like values such as bank account numbers and passwords, normalizing insecure secret handling in code and logs. This encourages users to hardcode sensitive credentials, copy them into scripts, or expose them through version control, notebooks, terminals, and agent traces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal