Security audit

Crypto Auto Progression

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive, but it creates recurring automation that can keep running scripts or changing project files without clear limits.

Install only if you intentionally want long-running cron-driven agent work on this crypto backtest project. Before enabling it, require the agent to show exact cron definitions, set an expiration or maximum run count, restrict allowed scripts and paths, require approval before code changes, use a separate branch or sandbox, and document how to pause or delete the jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Low

Confidence: 96% confidence
Finding: The skill hard-codes a specific timezone (`Asia/Manila`) for the daily report without indicating that this should be derived from user preference or environment configuration. In an automation skill, this can cause reports and scheduled actions to run at unexpected local times, leading to operational confusion, missed reviews, or incorrect assumptions about when jobs execute.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal