Security audit

BSpro Stock Quantization

Security checks across malware telemetry and agentic risk

Overview

This is a real stock-analysis skill, but its data-update path and optional remote submissions create review-worthy security and privacy risk.

Review before installing. Use it only if you trust the publisher's backend and are comfortable with market-data updates downloading, decrypting, unzipping, and importing remote files into a local database. Configure BITSOUL_TOKEN only for this service, avoid invoking performance/positions submission unless you explicitly want leaderboard upload, and treat retraining or cache-clearing APIs as persistent state changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (25)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: # 填充缺失值 if fill_method: for key in list(panels.keys()): panels[key] = getattr(panels[key], fill_method)() # ── vwap ────────────────────────────────────────────────────────── vol_safe = panels["volume"].replace(0, np.nan)
Confidence: 86% confidence
Finding: panels[key] = getattr(panels[key], fill_method)()

Tainted flow: 'download_url' from requests.get (line 1702, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: log(f"开始下载 {file_name} ...") log(f"下载地址: {download_url}") with requests.get(download_url, stream=True, timeout=300) as response: if response.status_code != 200: log(f"下载失败，HTTP 状态码: {response.status_code}") if retry < max_retries - 1:
Confidence: 91% confidence
Finding: with requests.get(download_url, stream=True, timeout=300) as response:

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: download_from_url() accepts an arbitrary caller-supplied URL and writes the response body to a caller-supplied filesystem path with no allowlist, scheme checks, or content validation. In an agent skill context, this is more dangerous because other parts of the skill or future extensions could use it as a generic network-to-file primitive, enabling SSRF, retrieval of malicious payloads, and unsafe local persistence.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This file implements a standalone file encryption/decryption routine using a PRNG-derived keystream, which is unrelated to the declared stock-market analytics purpose of the skill. In this context, hidden cryptographic file transformation functionality is suspicious because it can be used to conceal, unpack, or modify payloads and user files without any clear business justification.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The code behavior materially diverges from the manifest: instead of stock screening or analytics, it derives a seed from a key and IV and transforms files on disk. Such undeclared capability increases the risk of covert data manipulation or payload staging, especially because users and reviewers would not expect file cryptography inside a financial-analysis skill.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The backtest path silently performs live outbound HTTP requests to Eastmoney when local benchmark data is unavailable, expanding the skill's trust boundary and data flow beyond the apparent internal analytics role. This can leak usage metadata, create non-deterministic behavior, and introduce dependency on an external service without explicit control, review, or disclosure.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file implements patch-list, file-download, and decryption-key retrieval functionality that is not reflected in the stated stock-analysis skill purpose. Undocumented update and decryption capabilities expand the trust boundary and can enable covert retrieval of protected content or future code/data changes without clear user awareness.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: Benchmark retrieval and leaderboard-style yield submission go beyond a passive market-information role and involve uploading user-derived trading performance data to a remote service. This creates a privacy and data-governance risk because users may not expect portfolio metrics or rankings to be transmitted off-platform.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code can request a decryption key for arbitrary file names from a remote endpoint, which is a sensitive capability unrelated to ordinary stock analytics. If abused or improperly authorized server-side, this could facilitate access to encrypted assets or enable concealed distribution of protected content.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The function submits total yield, annualized yield, drawdown, sharpe ratio, and even detailed positions to a remote server, which is sensitive financial information beyond the declared informational scope. Exposure of holdings and performance can harm user privacy, reveal strategy details, and create regulatory or trust issues if done without explicit consent.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The stock-analysis API exposes `get_user_token()` and `set_user_token()` even though the skill is presented as a market data/backtesting tool. This gives skill logic access to read and overwrite user credentials, creating an unnecessary secret-handling surface that could enable credential theft, account misuse, or silent reconfiguration of downstream authenticated services.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Reading and mutating a user token is not justified by the stated purpose of providing stock data, indicators, and backtesting. In agent-skill contexts, any exposed credential accessor is especially dangerous because higher-level prompts or tool chains can invoke it to exfiltrate secrets or persist attacker-chosen credentials without the user's awareness.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The skill defines broad natural-language routing rules such as automatically switching to comprehensive analysis for generic requests like '分析/估值/趋势/风险'. Overbroad triggers can cause the skill to activate unexpectedly, leading to unintended network calls, token use, and potentially misleading financial analysis when the user's intent was ambiguous.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Phrases like '挖矿', '随机推荐', and '碰碰运气' are especially ambiguous and map directly to a random factor backtest function. This can trigger speculative financial outputs without clear user consent or scope, increasing the risk of accidental invocation, unnecessary remote processing, and unsafe investment-style recommendations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation states that calling `train_moe_weights()` automatically writes the optimized weights into `moe_weights.json`, but it does not warn the user that invoking this API changes persistent local state. In an agent setting, this can cause silent configuration drift and make future `get_trade_signal()` results depend on an earlier action the user may not have intended to persist.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: `update_data()` is documented as downloading patches and importing missing data into the local database, but the persistence-changing side effect is not presented as a caution to the user. In agent workflows, hidden local data modification can trigger unintended storage growth, trust issues, or unwanted background state changes.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: `clear_indicator_cache()` can delete cached data for one symbol or all symbols, but the documentation does not present this as a destructive operation requiring caution. In an autonomous agent context, broad cache-clearing without warning can erase useful local state, degrade performance, and disrupt subsequent analyses.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The factor-mining trigger phrases are broad enough to match ordinary conversational language like '随机推荐' or '碰碰运气', and the spec says the agent must call a powerful backtesting function when matched. This can cause unintended execution of expensive or risky analysis paths, especially because the API returns a preformatted `summary_text` the model is told to print directly.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trade-signal activation rule is phrased very broadly around common investment questions like '能不能买' or '操作建议', forcing the agent into a specific API path for many ordinary conversations. In a financial advisory context, ambiguous auto-triggering increases the chance of overconfident, context-poor recommendations and reduces the agent's ability to ask clarifying questions.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The training trigger phrases like '优化权重' or '重新训练' are vague, and invoking the function changes model weights used by future analyses. Because this training operation also persists new weights, an overly broad trigger can let a casual user phrase silently reconfigure the skill's decision logic for subsequent sessions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function opens an input file and writes a transformed output file with no user-facing warning, confirmation, or disclosure about what is being encrypted/decrypted. Even if invoked for a legitimate reason, silent file-writing behavior can lead to unexpected modification of user data and makes abuse harder to detect in a skill that is not supposed to perform file security operations.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The HTTP fallback sends benchmark query parameters such as instrument identifiers and date ranges to a third-party endpoint without any user-facing notice in this code path. Although the transmitted data is market-query metadata rather than secrets, it still creates undisclosed external telemetry and could reveal user activity patterns or strategy timing.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: A hardcoded token appears in the executable test block, creating an immediate credential exposure risk if the file is shared, published, or reused. Anyone obtaining the source may be able to call backend APIs, enumerate services, or submit data under that credential.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code sends sensitive financial performance and position data to a remote API without any indication of user notice or consent at the call site. In a stock-analysis skill, hidden transmission of holdings is especially risky because it can disclose investment behavior and proprietary strategy information.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Sensitive credential accessors are exposed with no user-facing warning, consent, or indication that a stock-analysis tool can inspect and change tokens. The lack of disclosure increases the chance that users or orchestrating agents will invoke these methods without understanding the credential risk, enabling stealthy misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal