Back to skill

Security audit

Investoday

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chinese finance-analysis skill with no hidden files or automatic privileged behavior in the artifact.

Before installing, verify the `investoday-api` PyPI package and avoid providing brokerage credentials or personal financial account data. Treat outputs as market analysis only, not investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases for the market-broadcast module are broad, conversational terms such as '市场怎么样' and time-of-day prompts like '早盘/午盘/收盘后'. In a user-invocable finance skill, this can cause unintended activation during ordinary market discussion, increasing the chance that the agent routes users into this skill without clear intent and returns finance-specific guidance or analysis unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill content and descriptions are entirely in Chinese with no indication that language will follow the user's preference or system locale. This can cause the skill to respond in an unexpected language, reducing transparency and user comprehension in a finance context where misunderstanding analysis, metrics, or disclaimers may lead to poor decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.