Tiger Trade

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking Tiger Brokers trading skill, but its instructions can lead to live financial orders without enough safeguards.

Install only if you intend to let an agent work with Tiger Brokers trading. Do not run the quick-trade example as written; use sandbox mode first, replace all hard-coded order values, require explicit confirmation before every order, and protect the private key with strict file permissions or a secret manager.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description is broad enough to match general investing or portfolio-management requests, which can cause an agent to invoke a trade-execution capability in contexts where the user did not explicitly request a transaction. Because this skill can place real orders, over-broad routing materially increases the chance of unintended financial actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The example code is presented as a quick trade snippet but does not clearly warn that it uses a live account with sandbox disabled and submits a real BUY order for 10,000 shares. In a trading skill, omission of an explicit real-money warning is especially dangerous because users or downstream agents may treat the snippet as harmless example code and trigger irreversible financial loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal