paper-test2

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real paper-trading assistant, but it automatically creates recurring background monitoring and has broad local account-event visibility that users should review before installing.

Install only if you are comfortable with a local Python service, dependency installation, local storage of simulated trading history, use of STOCKI_GATEWAY_URL/STOCKI_API_KEY for quote requests, and an automatic every-minute background monitor after working LIMIT orders. Before using restart/stop or LIMIT orders, check how to view/remove the monitor and understand that service restart cancels open paper orders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill uses sensitive capabilities including environment access, file read/write, network calls, and shell execution, but those capabilities are not declared in the manifest as permissions. This reduces transparency and weakens policy enforcement, making it harder for users or a platform to understand that the skill can start services, persist state, read tokens from disk, and contact external systems.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The public description says the skill is for simulated trading and quotes, but the instructions also cover event/audit retrieval, symbol metadata lookups, lifecycle management, diagnostics, persistent snapshots, and cron-based monitoring. This mismatch can cause users and reviewers to underestimate what the skill can do, especially its ability to run background jobs and manage local processes.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill automatically creates and manages a recurring cron job that continues running after the immediate user request, but this persistent background behavior is not clearly disclosed in the manifest/description. Undisclosed persistence increases risk because the agent can keep polling account state and sending notifications without a fresh user action.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documentation explicitly states that omitting `account_id` returns events for all accounts, which exceeds the stated single-user trading-assistant scope and can enable cross-account data exposure. In a trading context, event streams can reveal account identifiers, order activity, fills, and operational history, making this a meaningful confidentiality breach if access control is not strictly enforced server-side.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README states that the skill will automatically start a local trading simulator and use a hosted quote gateway, but it does not clearly warn users that a local process will be launched and that market-related requests may be sent to an external service. This is a transparency and consent problem: users may install or invoke the skill without understanding its local execution and network behavior, which can violate security expectations in tightly controlled environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to create a recurring cron job automatically on the first working limit order, without clear user-facing disclosure or opt-in for ongoing background activity. Persistent polling and later-origin notifications can surprise users and expand the operational footprint beyond a single request.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to retrieve account balances, positions, and P&L whenever the user asks, but provides no user-facing disclosure, identity check, or privacy guard despite handling sensitive financial information. In a trading assistant context, this can expose portfolio and cash data to an unauthorized or unintended party if session routing, shared devices, or prompt confusion causes the wrong user context to be used.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The troubleshooting guidance tells operators to restart or inspect lifecycle state when users report outages, but it does not warn up front that restarting this service cancels all WORKING paper-trading orders. In a trading assistant context, that side effect can surprise users, disrupt simulated strategies, and cause loss of expected state even if it does not affect real funds.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal