LEAN Engine — Algorithmic Trading

Security checks across malware telemetry and agentic risk

Overview

This LEAN trading skill is mostly coherent, but its backtest helper temporarily replaces the active LEAN config despite saying the original config is never touched.

Review the helper scripts before installing. Use a separate LEAN workspace or credential-free backtesting config, avoid storing Interactive Brokers credentials in the config used by this skill, and do not run it concurrently with other LEAN sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill description overstates and partially misstates behavior, especially around config handling and operational capabilities like result analysis and IB deployment. This is dangerous because operators may trust the description, grant the skill broader use, or run it in environments containing live-trading credentials while the workflow temporarily swaps active configuration and performs network downloads not prominently disclosed in the top-level description.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comments state that the original config is 'never touched', but the script explicitly copies a generated backtest config over the live config.json and restores it later. This is a real integrity and reliability issue: if the process is interrupted at the wrong time, another process reads the file concurrently, or cleanup fails, the original configuration can be left altered or briefly expose different settings than expected.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The description is broad enough to trigger on general requests about backtesting, algorithm development, data management, config editing, and deployment, increasing the chance the skill is invoked in contexts with unnecessary file, environment, and network access. In a trading environment, overbroad activation is more dangerous because the same workspace may contain credentials, live-trading settings, and sensitive financial data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal