Back to skill

Security audit

FW-trading

Security checks across malware telemetry and agentic risk

Overview

This trading skill is mostly coherent, but it handles live financial credentials and installation in ways users should review carefully before use.

Install only if you trust the publisher and are comfortable with a skill that can access live brokerage data and place live trades after confirmation. Prefer installing dependencies manually, avoid pasting API keys or PEM material into chat, restrict file permissions on fosun.env and backups, and review or patch the TLS verification and remote installer behavior before using it with real accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Tainted flow: 'url' from os.environ.get (line 700, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def _post_auth_json(base_url: str, path: str, payload: dict[str, Any]) -> dict[str, Any]:
    url = f"{base_url.rstrip('/')}{path}"
    response = requests.post(
        url,
        json=payload,
        headers=_auth_headers(),
Confidence
97% confidence
Finding
response = requests.post( url, json=payload, headers=_auth_headers(), timeout=15, verify=False, )

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The manifest says the skill only uses simulated-trading APIs and does not handle credential generation or repair, yet it explicitly reuses a shared credential file resolved from a parent skill root. That creates a trust-boundary problem: a supposedly limited simulation-only skill can still consume sensitive shared credentials, increasing the chance of accidental credential exposure, cross-skill misuse, or unintended access to live-trading context if routing or environment resolution is wrong elsewhere.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The simulation client writes updates back into the shared global `fosun.env` via `upsert_shared_env`, even though the skill is supposed to operate in a mock-account isolation domain. That creates cross-skill state mutation: a mock-trading workflow can alter credentials or account-selection metadata consumed by other skills, which can cause credential corruption, account mix-ups, or unsafe cross-environment behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code prepends a sibling directory to `sys.path` and then imports `api_key_check` dynamically. If that sibling skill directory is modified, replaced, or writable by a less-trusted actor, importing this file will execute attacker-controlled Python code in the current process, crossing trust boundaries between skills.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script advertises that it queries a simulated account, but it never validates that the selected account or credential context is actually a mock/sandbox account before calling the trading API. In a trading skill that manages shared credentials and routes between real and simulated environments, this mismatch can cause users or upstream agents to retrieve real-account balances and buying power under false assumptions, which is a dangerous environment-confusion flaw and can contribute to unintended real trading workflows.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer fetches a PowerShell script from the internet and immediately executes it via `Invoke-Expression`, creating a direct remote-code-execution path during installation. In a trading skill that manages shared credentials, this is especially risky because a compromised upstream host, proxy, or network path could run arbitrary code and steal tokens, alter environment files, or persist on the host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads a PowerShell installer from the internet and immediately executes it via Invoke-Expression, with no signature verification, checksum validation, pinning to trusted content, or user confirmation. This creates a direct remote code execution path during installation: if the remote endpoint, proxy, DNS, TLS trust chain, or network path is compromised, arbitrary code runs on the host with the user's privileges.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup/reset messaging explicitly instructs the user to send back an API Key and full PEM key material through chat, but provides no warning about secure handling, retention, or safer transmission channels. In a trading credential workflow, this is dangerous because chat systems, logs, attachments, and operator consoles may expose credential material to unintended parties or create durable secrets leakage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reset flow requires the user to copy and transmit highly sensitive credential material back to the agent, yet omits any disclosure of the security risks of doing so. Because this skill manages live trading environment credentials, collecting secrets in chat materially increases the chance of credential compromise, account takeover, and unauthorized trading actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance embeds a command line that places secret values directly into process arguments, which may be exposed via shell history, audit logs, process listings, or support transcripts. Even though the PEM shown is a server public key, the API Key is sensitive and the pattern normalizes insecure secret handling without any warning or safer alternative.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script places API keys and private/public key material into process environment variables before importing and invoking SDK code. Environment variables can be inherited by child processes, exposed through diagnostics/crash reports, or read by other code in the same process, which broadens credential exposure beyond the credential file itself.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script generates a `fosun.env` file containing an API key and a base64-encoded private key, but the user-facing output does not warn that the file contains highly sensitive credential material. Base64 is not protection, so users may mistakenly treat the file as ordinary configuration, increasing the chance of accidental commit, backup leakage, or permissive file sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly instructs the user to send sensitive credential material (apikey and full server public key, tied to a live trading integration) to the agent for write-back, but provides no privacy boundary, redaction guidance, or secure handling requirements. In the context of a trading skill that centrally manages a shared credential file, this creates unnecessary credential exposure to the conversational channel, logs, and any downstream tool integrations handling agent inputs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README states that the skill will automatically write `FSOPENAPI_ACCOUNT_INDEX` into the shared credential file referenced by `FOSUN_ENV_PATH`, and may refresh that cache during normal business commands. Because this file is a shared credential store used across skills, implicit mutation of it during read-like operations increases the risk of accidental credential/config corruption, hidden state changes, and cross-skill side effects without a prominent warning or explicit confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script explicitly states it has a side effect: on success it writes account index data into the shared fosun.env file. Although this is not inherently malicious, mutating a shared credential store during what appears to be a read-only 'health check' can surprise users and downstream tools, increase the blast radius of mistakes, and overwrite or corrupt shared state without an explicit user-facing confirmation at execution time.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script performs a silent download-and-execute of a remote installer without any warning or consent prompt. This removes an important trust boundary and means users invoking a trading-related skill may unknowingly authorize arbitrary code execution unrelated to the core business logic.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest states that the skill will reuse a shared credential file via FOSUN_ENV_PATH and, if unset, automatically resolve credentials from a broader 'root' location. In a real-trading skill, this kind of implicit credential discovery expands trust boundaries, can cause the agent to pick up unintended secrets, and increases the chance of cross-skill credential leakage or accidental use of live trading accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script explicitly persists fetched account metadata back into a shared fosun.env file for later reuse. Even though this is described as intended behavior, storing account identifiers and classification in shared mutable state can leak sensitive financial context across runs, users, or tools, and creates an integrity risk if later scripts trust the cached index without revalidation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script queries live-account cash-flow data, which is highly sensitive financial information, but it does not present any explicit user-facing warning, consent gate, or visibility check before retrieving and returning the data. In an agent setting, that increases the risk of accidental over-disclosure to the wrong user, the wrong channel, or without the user's informed understanding that real account history will be accessed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script performs a live API call to enumerate accounts and then writes the refreshed account index back into a shared credential file, but the code itself contains no runtime user-confirmation or explicit disclosure gate before making that state-changing update. In a trading skill that centrally manages shared credentials, this can cause silent persistence of sensitive account metadata and unintended modification of shared state if invoked by an agent or workflow without the user's clear awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
This installer silently performs remote script execution without explicit warning or consent, which is especially risky in a trading-related skill that may be installed on systems holding API credentials and financial tooling. The lack of confirmation removes a safety barrier and makes accidental execution of untrusted code much more likely.

Ssd 3

High
Confidence
98% confidence
Finding
These lines instruct the operator to ask the user to paste sensitive credential material into chat. That creates a direct secret exfiltration path through the agent interface and any downstream logging/monitoring systems, which is especially risky in a financial trading skill where compromised credentials can enable unauthorized account access and transactions.

Ssd 3

High
Confidence
99% confidence
Finding
The reset path explicitly requires users to paste both API Key and PEM content directly to the agent, making sensitive data transit an untrusted conversational channel. In the context of broker/trading OpenAPI credentials, this materially raises the risk of credential theft, replay, support-side misuse, and unauthorized trading activity.

Ssd 3

High
Confidence
97% confidence
Finding
The operational guide makes receipt of the user's API Key and full key material a mandatory precondition, institutionalizing secret collection through the agent workflow. Because the skill centrally manages shared credentials for trading operations, this expands the attack surface and increases the blast radius of any transcript, memory, or operator compromise.

Ssd 3

High
Confidence
97% confidence
Finding
The structured next-action fields programmatically tell the agent to request and receive sensitive credential data from the user, which can propagate insecure behavior across all flows using this metadata. In a skill that handles a global shared credential file for live and simulated trading, such design can lead to systematic secret exposure and broad operational compromise if chat records are accessed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
fosun-env-setup/code/qr_artifact.py:34

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
fosun-env-setup/code/ensure_fosun_env.py:534

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
fosun-env-setup/code/ensure_fosun_env.py:706