Back to skill

Security audit

InvestmentTracker Platform

Security checks across malware telemetry and agentic risk

Overview

This investment-tracking skill is purpose-aligned, but it ships live-looking API keys and prints or stores credentials while accessing sensitive financial account data.

Review carefully before installing. Do not use this skill with real financial accounts until the publisher removes and revokes the embedded tokens, stops printing headers, and documents a secure per-user credential setup. If testing is necessary, use simulated mode or a narrowly scoped throwaway API key and verify the endpoint before sending any investment data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (88)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The helper claims to send an MCP request, but it also writes full request contents to a predictable file under /tmp and launches an external curl process. This creates unintended local data exposure and expands the trust boundary beyond the documented behavior, which is especially risky for financial/account queries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document embeds what appears to be a live bearer token and pairs it with concrete code that authenticates to an external MCP endpoint. Even though this is framed as a fix plan, exposing reusable credentials in a skill artifact enables unauthorized API access, data retrieval, and potential downstream abuse by anyone who can read the file.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
These shell examples operationalize the exposed credential by instructing authenticated external requests to a remote service. This expands the risk from passive secret leakage to active misuse, making it easy for readers or automated systems to replay the token and interact with the target service without authorization.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README embeds a live-looking bearer token and API key directly in example MCP configuration. Even in documentation, hardcoded credentials can be copied, abused for unauthorized API access, scraped by automated scanners, or signal that real secrets are being committed to the repository.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation embeds a live-looking bearer token directly in curl examples, which exposes what appears to be a reusable secret in a publicly consumable skill file. Even if the token is expired or low-privilege, publishing credentials trains users to copy insecure patterns and may permit unauthorized access to investment data or backend APIs if the token remains valid.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file mixes two different skill interfaces and command sets, which can mislead operators into invoking the wrong script, configuring the wrong endpoints, or trusting stale examples. In a security-sensitive skill that handles API keys and financial data, this inconsistency increases the chance of unsafe workarounds, accidental credential exposure, or execution of unintended code paths.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims the skill is 'production-ready' and 'fully complete' while elsewhere explicitly stating that core API connectivity, authentication behavior, and tool-call responses remain untested. This can mislead operators into deploying or trusting the skill in real environments before its security and correctness properties are validated, increasing the chance of unsafe handling of financial data or failed integrations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation includes what appears to be a live bearer token in a troubleshooting curl example, which is effectively credential disclosure. Anyone reading the file can reuse that token to access the remote MCP endpoint, potentially exposing portfolio or account data and enabling unauthorized API actions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script retrieves user-profile data using whoami_v1 even though its stated purpose is checking positions. In a financial context, expanding collection beyond the minimum necessary increases exposure of personally identifiable information and violates data minimization expectations, especially because the script later prints the profile data to stdout.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file header claims the script checks position data, but the implementation also fetches and displays identity/profile details. In a skill or agent context, this mismatch is security-relevant because misleading descriptions can cause users or reviewers to authorize broader access than they intended, increasing the risk of unnoticed PII exposure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script's apparent purpose is checking positions, but it also calls whoami_v1 and later prints personally identifiable account details. Expanding data collection beyond the stated task violates data minimization and increases the chance of unnecessary exposure of user identity information in logs or terminal history.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module description claims the script checks holdings data, but the implementation also retrieves and displays user identity details such as email and OpenID. This mismatch is dangerous because operators may run the script expecting a narrower scope, leading to undisclosed collection and display of sensitive personal data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script embeds a live bearer token and silently contacts an external API to retrieve portfolio holdings, exposing sensitive financial data and credentials to anyone with access to the file. In a local reporting skill, hidden authenticated exfiltration capability is unjustified and materially increases the risk of credential compromise, unauthorized data access, and unnoticed outbound data flows.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document repeatedly embeds what appears to be a live bearer token in example requests, while also advising readers to store API keys securely. Publishing usable credentials in documentation can enable unauthorized access to portfolio endpoints, exposing sensitive financial holdings and performance data. The contradiction in the guidance makes the issue more credible and dangerous, because users may copy and reuse the token without realizing it is a secret.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation embeds what appears to be a live bearer token directly in example curl commands for a production transaction API. Exposing reusable credentials in public-facing skill content can allow unauthorized access to sensitive financial records and may enable further abuse until the token is revoked.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill is presented as a real-time investment tracker, but it also exposes capabilities to retrieve identity data, methodology data, and enumerate remote tools. This mismatch expands the effective privilege and data-access surface beyond user expectations, increasing the risk of unauthorized data disclosure and deceptive behavior in an agent context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Remote tool enumeration can reveal the names, schemas, and execution characteristics of backend capabilities to a local user or downstream agent. That information can aid capability discovery, misuse, and follow-on abuse, especially when the skill already embeds credentials for an authenticated backend.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill retrieves user identity via `whoami_v1` even though the documented function is investment tracking. Unnecessary identity access violates least privilege and can expose personal account information without a clear user-facing need.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This file contains a hardcoded live bearer token that appears to grant authenticated access to an external investment-tracking API. Anyone with access to the script can reuse the credential to query sensitive user, methodology, statistics, and position data, enabling unauthorized access and likely account or portfolio data exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script performs authenticated calls to a remote MCP API without any surrounding trust, authorization, or user-consent controls visible in the skill. In context, this is dangerous because the code is specifically designed to retrieve account-linked investment data from an external service, so compromise or misuse of the skill directly exposes private financial information.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The CLI states that the "full functionality is ready" even though the code explicitly marks the primary MCP API as unavailable and may serve simulated portfolio data instead. In an investment-tracking context, this can mislead users into making decisions based on placeholder data or believing live integrations are operational when they are not.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document labels itself as based on simulated data while simultaneously presenting concrete user identity fields, holdings, and portfolio performance as if they belong to a real account. In a financial context, this can mislead users, reviewers, or downstream agents into treating fabricated or placeholder data as authentic personal financial information, which can cause incorrect advice, privacy confusion, or unsafe operational decisions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill contains a hardcoded live API key and automatically uses it to contact a remote service. Embedded secrets are easily extracted from source code, can be abused by anyone who obtains the file, and may grant unauthorized access to user or account data through the remote InvestmentTracker endpoint.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes what appears to be a live bearer token directly in source code and then uses it for authenticated requests. This exposes credentials to anyone with file access, encourages token reuse in plaintext, and can enable unauthorized API access if the script is shared, committed, logged, or copied from terminals.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This script embeds a live bearer token directly in source code, writes it into a local config file, and prints the full API key to stdout. That combination creates multiple disclosure paths: source control leakage, terminal history/log leakage, CI log exposure, and credential theft by any local user or process with access to the workspace or output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal