Simmer Calibration Report

Security checks across malware telemetry and agentic risk

Overview

This analytics skill mostly does what it claims, but its default sim mode can unexpectedly read live trading history.

Review before installing if your live trading journal is sensitive. Set `CALIB_JOURNAL_PATH` to the exact journal you intend to analyze, avoid relying on auto-detection, and do not enable the daily cron until you have confirmed which file it will read.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The journal discovery logic silently falls back to the live trade journal even when running the default sim analysis path. That can expose real trading history to a tool the user may believe is operating only on simulation data, creating confidentiality and safety-of-operation risks through misleading data-source selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal