IRS Strategy Development Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a trading-strategy documentation package, but it exposes usable-looking database and website credentials and includes live-order examples without strong safety guardrails.

Do not install this skill as-is outside a tightly controlled internal environment. Treat the exposed credentials as compromised, rotate them, and remove secrets/internal endpoints from the package. If using the trading examples, review them manually, run only in backtest or paper/simulation first, and add explicit live-trading confirmation, account checks, risk limits, and kill-switch controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill embeds what appear to be live credentials for an online data dictionary (`szsgdsjk01 / gildata@123`). Hardcoded credentials in documentation are sensitive secrets regardless of whether they are for an internal or low-privilege system, because they enable unauthorized access, credential reuse attacks, and downstream disclosure. In a strategy-development skill, these credentials are not necessary to fulfill the core function and materially increase risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file exposes internal infrastructure details and a hardcoded SQL Server credential (`User Id=Traders;Password=abcd4321`) plus reachable internal hosts and ports. Even though this is framed as reference documentation, embedding live access details in a skill artifact creates credential leakage risk, enables lateral movement inside the environment, and is unrelated to the minimum information needed for strategy-authoring guidance.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation discloses username and password credentials for an online data dictionary service. Publishing reusable credentials in a reference file allows unauthorized access, potential data exfiltration, and credential stuffing against related systems if passwords are reused.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file discloses live internal database access details and external service credentials directly in reference documentation. This is dangerous because anyone with access to the skill can reuse those secrets to access proprietary data stores or third-party services outside the intended strategy-assistant workflow.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: These are capability-enabling secrets: the connection string, username, and password provide direct access paths to an internal SQL Server and an online data dictionary. In the context of a strategy-coding assistant, this materially increases risk because the skill can facilitate unauthorized data access, lateral movement, and exfiltration unrelated to answering user questions about code.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill provides actionable guidance for backtesting, simulated trading, and live trading workflows without a clear safety warning or requirement for confirmation before potentially market-impacting actions. In a trading context, omitted risk boundaries can lead users or downstream agents to execute changes or trading steps in live environments without adequate review, increasing operational and financial risk.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: This finding correctly identifies natural-language disclosure of sensitive access information: the SQL connection string includes a plaintext password, and the same document later includes external service credentials. Secrets in prose are just as dangerous as secrets in code because they are easy to scrape, reuse, and leak to downstream consumers of the skill.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document contains ready-to-use strategy examples that place live orders via methods such as ChasingBuy, ChasingSell, SubmitPairOrder, TwapBuy, and TwapSell, but it provides no warning that these snippets can trigger real market activity and financial loss if copied into a live IRS environment. In the context of a trading-strategy skill, this omission is more dangerous because users are specifically likely to reuse the examples operationally rather than treat them as purely illustrative pseudocode.

Natural-Language Policy Violations

High

Confidence: 100% confidence
Finding: Hard-coded credentials in natural-language documentation are still secrets exposure, even if they are not embedded in executable code. Attackers or unauthorized users can copy them verbatim, and LLM-based systems may surface or propagate them in responses, expanding the blast radius of the leak.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document normalizes direct access to sensitive internal and external systems without warning, classification, or access-control guidance. In practice, this makes accidental misuse more likely and signals to users and downstream agents that unrestricted use of these systems is acceptable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal