金融工具包

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed finance analysis toolkit with market-data and charting dependencies; the automated-trading example needs caution but is simulated and not backed by live broker code in the artifact.

Install only if you are comfortable with third-party Python market-data libraries. Treat outputs as informational, not investment advice. Do not connect this skill or derived code to a real brokerage account unless live trading is disabled by default and protected with explicit user confirmation, risk limits, audit logs, and pinned dependencies or a lockfile.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly describes an AutoTrader that can start trading, but the surrounding documentation does not provide a strong operational safety warning, confirmation requirement, or account-impact disclosure. In a finance context, this can normalize live-trading behavior and lead users or downstream agents to execute trades that affect real funds if the simulated setting is later changed or copied into production code.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal