Back to skill

Security audit

technical-analyst

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stock technical-analysis helper that uses a Finskills API key and market-data requests, with no hidden execution, persistence, account access, or trading authority found.

Install only if you are comfortable giving the Finskills integration an API key and sending requested ticker symbols to Finskills for market data. Treat the generated entries, stops, targets, and recommended actions as educational technical analysis, not personalized financial advice or a command to trade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
96% confidence
Finding
The README clearly states the skill is powered by the Finskills API and fetches market data, but it does not explicitly disclose that user-requested symbols and related query context will be transmitted to a third-party service. This is a real transparency and privacy issue: even if ticker symbols are usually low sensitivity, prompts may contain trading intent, watchlists, or proprietary research interests that users do not expect to be shared externally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation criteria include broad natural-language prompts such as asking where a stock is heading or whether to buy the dip, which can cause the skill to trigger in contexts where the user did not explicitly request this specific tool. In a financial-analysis skill, unintended invocation is more dangerous because it may inject speculative trading guidance into general discussion and increase the chance of inappropriate or overconfident recommendations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill produces concrete trading guidance including entry zones, stop-losses, targets, and recommended actions, but it does not prominently warn users that this is educational information rather than financial advice. In this context, that omission is particularly risky because the output is highly action-oriented and could be relied on by users to make real financial decisions, creating harm through losses or unsuitable trading behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.