Mcp Server

Security checks across malware telemetry and agentic risk

Overview

This finance MCP is not clearly malicious, but it needs Review because local use sends financial inputs to QuantOracle’s remote API without clear per-tool disclosure.

Install only if you are comfortable sending calculation inputs, portfolio details, strategy parameters, and similar financial data to QuantOracle’s hosted API. Keep wallet/payment use manual, watch the free-call limit, and avoid exposing the local MCP port beyond trusted clients.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and depends on code execution and network access (`npx quantoracle-mcp` and a remote MCP endpoint) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it is, while it can still execute Node-based code and make outbound network requests to a third-party service.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is presented as a deterministic local calculator, but the implementation dynamically downloads an OpenAPI spec and forwards tool calls to a remote backend. This creates a trust-boundary mismatch: users and agents may disclose sensitive financial inputs under the assumption of local computation, while availability, behavior, pricing, and returned results are controlled by an external service.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Embedding wallet/payment-routing behavior in a skill advertised as pure finance calculation introduces undisclosed monetization and payment-collection logic into an otherwise analytical tool. While not code-execution dangerous by itself, it increases the risk of deceptive usage expectations, billing surprises, and dependency on a hardcoded payment recipient.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The MCP server forwards every tool invocation, including user-supplied JSON arguments, to a remote backend at BACKEND_URL. While this is core to the service design, the skill does not provide a clear user-facing disclosure at tool execution time that inputs leave the local host and are sent to a third-party service, which can expose sensitive financial or proprietary data users may assume is processed locally.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The server stores client IP addresses in memory for session tracking and rate limiting, but there is no visible notice to users that their IP is being collected and associated with usage. This is primarily a privacy/transparency issue rather than a direct exploit path, but it can matter in regulated or privacy-sensitive environments.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Client-supplied arguments are serialized and sent directly to an external backend with no just-in-time disclosure, redaction, or consent mechanism. In a finance context, inputs may include proprietary trading positions, portfolio data, or strategy parameters, so silent exfiltration to a third party is a meaningful confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal