Finance Cron

Security checks across malware telemetry and agentic risk

Overview

This is a trading-calendar helper that discloses its scheduler integration and does not show hidden execution, credential access, or data exfiltration.

Reasonable to install if you need trading-day calendar utilities. Before using the generated /loop line, read the full command carefully, especially if the command text came from another person or tool. Run calendar sync only if you are comfortable installing and using the optional Python market-calendar packages.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The module claims it does not directly execute tasks, but it generates a copy-pastable `/loop` command that concatenates attacker-controlled `args.command` into a shell-style command line. That can mislead users into trusting the generated output and can enable command injection or unsafe deferred execution if the supplied command contains shell metacharacters.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code constructs a ready-to-run `/loop ... && ${args.command}` string using unsanitized user input. If `args.command` contains shell operators such as `&&`, `;`, backticks, or substitutions, the generated command can execute unintended additional actions when pasted into a shell-like environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal