Security audit

LongPort Quant Trader

Security checks across malware telemetry and agentic risk

Overview

This automated trading skill can place brokerage orders and send messages, but its live-trading safeguards, credential handling, and disclosure are not adequate for the authority it requests.

Install only for code review or paper-trading experiments. Do not provide live brokerage credentials until the order paths are audited, hardcoded LongPort/Feishu secrets are removed and rotated, recipients are user-configured, live trading requires an explicit opt-in, and logs/state files are handled as sensitive financial data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (64)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--target", FEISHU_USER_OPEN_ID, "--message", message ] result = subprocess.run(cmd, capture_output=True, text=True, timeout=30) if result.returncode == 0: print("\n✅ 监控完成，推送成功")
Confidence: 93% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Tainted flow: 'cmd' from os.getenv (line 399, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: "--target", FEISHU_USER_OPEN_ID, "--message", message ] result = subprocess.run(cmd, capture_output=True, text=True, timeout=30) if result.returncode == 0: print("\n✅ 监控完成，推送成功")
Confidence: 89% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 78% confidence
Finding: The skill advertises and appears to require sensitive capabilities such as environment variable access, network access, shell execution, and file read/write, but does not declare permissions explicitly. In a trading skill, this is dangerous because it can access brokerage credentials, place orders, persist data locally, and transmit account or trading information without clear user visibility or consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The declared behavior is a relatively narrow longport auto-trading monitor, but the analysis indicates substantially broader capabilities including news scraping, sentiment analysis, event-driven trading, options monitoring, Feishu directory queries, and multiple experimental strategy modules. This mismatch is dangerous because users may grant credentials and trust the skill for one purpose while it performs materially different, higher-risk actions involving additional data collection, messaging, and trading workflows.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code calculates and prints stop-loss and take-profit thresholds, but it never places exit orders, monitors positions, or records realized performance. In an automated trading skill, this mismatch is dangerous because users may rely on advertised risk controls that do not actually exist, increasing the chance of unmanaged losses.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script initializes a real TradeContext from environment configuration and later submits orders through ctx.submit_order, yet tells the user it is only a simulated test. This can directly mislead users into running code that places live trades with real capital under false assumptions of safety.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code labels a value as maximum drawdown but computes `max(self.daily_returns)`, which is the maximum daily profit-like value, not peak-to-trough portfolio decline. In a trading/backtesting skill, misstating drawdown materially understates risk and can mislead users into deploying unsafe strategies with real capital.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code claims to be doing only 'virtual trading' but initializes live LongPort TradeContext and QuoteContext directly from environment credentials. In a trading skill, this mismatch is dangerous because users may run it believing it is harmless test code while it has the capability to place real orders if later code paths are changed or API behavior differs, creating financial loss risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill metadata advertises deterministic oversold/momentum automation with Feishu notifications and performance tracking, but this file instead performs randomized news and block-trade simulation logic. In an automated trading context, this is security-relevant because misleading functionality can cause users to deploy code with incorrect assumptions about behavior, controls, and risk management.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file presents itself as an automated event-driven trading strategy, but the core signal generation for news and block trades is fabricated with random values rather than derived from real market/news inputs. In an auto-trading context, this is dangerous because users may deploy it with real capital under false assumptions about strategy validity, causing arbitrary trades and financial loss.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The code claims to apply a trend filter, but trend direction is assigned randomly instead of being computed from price history or indicators. Because this trend value gates buy/sell decisions, the strategy's risk controls and trade direction are effectively arbitrary, undermining the safety claims of the trading logic.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comments and docstrings imply genuine event and trend analysis, while the implementation explicitly simulates them with random values. This mismatch is security-relevant because it misleads operators about what the code is actually doing, increasing the chance of unsafe deployment in a live trading environment.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file presents itself as a machine-learning-enhanced trading strategy, but the implementation is driven largely by random choices and simulated favorable outcomes rather than a real model or market data. In an automated trading skill, this misrepresentation can mislead users into trusting fictitious intelligence and performance claims, increasing the risk of financial loss from unsafe deployment decisions.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The comment says the strategy stores signal-quality history, but the code actually stores only whether prior trades were profitable. That mismatch can cause maintainers or users to misunderstand what is being optimized, making the pseudo-model's outputs less trustworthy and increasing the chance of incorrect trading decisions based on false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This script enumerates organization users and sends a hard-coded personal message to a matched individual, behavior that exceeds the advertised automated trading and monitoring scope. In a trading-related skill, undisclosed contact-enumeration and direct messaging increase the risk of privacy violations, unauthorized notifications, and misuse of enterprise messaging access.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The embedded card claims that long connection, trading permissions, and normal application status are active, but the script does not verify any of those conditions before sending the message. This can mislead recipients into trusting nonexistent trading connectivity or permissions, which is especially risky in a trading automation context where operational status affects financial decisions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script defines stop-loss, take-profit, and position sizing parameters but never applies them in the backtest logic, while the skill description advertises automated trading with risk controls. In a trading context, this is security-relevant because users may trust materially false risk-management claims and deploy the strategy or rely on its reported performance under the mistaken belief that downside controls were tested.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module claims to backtest strategy performance over three months, but the implementation merely counts days where price changes cross thresholds and averages same-day returns instead of simulating trades. This can mislead users into believing the strategy has been validated, which is especially risky in a skill intended for automated securities trading where incorrect performance claims may drive financial decisions.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script prints a safety disclaimer stating it does not place real orders, yet earlier logic can automatically submit buy orders when the mean-reversion strategy matches and auto_trade is enabled. In a trading skill, misleading the user about live order behavior is dangerous because it can cause unintended market transactions and financial loss under false assumptions.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Executing an external CLI for messaging introduces an unnecessary attack surface unrelated to the core news-analysis logic. In this context, the extra capability is more dangerous because the skill already has a direct API fallback, so the subprocess path expands privilege and dependency risk without clear need.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file materially misrepresents the advertised skill behavior: instead of implementing automated HK/US trading, monitoring, and notifications, it only runs a local randomized backtest. In a financial trading context, this is dangerous because users may rely on fabricated or irrelevant results to make real investment decisions, and the mismatch undermines auditability and trust in any claimed automation.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The comments and configuration claim risk-reducing signals such as RSI, MACD, volume confirmation, breakout thresholds, and retest checks, but none of these controls are actually enforced in execution. In an automated trading skill, overstating validation logic is dangerous because it can create false confidence in the strategy's safety and performance characteristics.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file materially misrepresents itself as an automated trading skill but only performs a randomized backtest-like simulation with no broker integration, monitoring loop, or notification logic. In a financial trading context, this is dangerous because users may rely on fabricated or non-functional behavior to make real investment decisions, creating a strong risk of financial loss and deceptive performance claims.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The function claims to enforce trading only during specific high-win-rate hours, but actually returns a random 70% boolean unrelated to time. In an automated trading skill, this undermines risk controls and can mislead operators into believing a timing filter exists when trades are effectively gated by chance.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The docstring says the function returns a confidence score from 0 to 1, but it actually returns a boolean requiring all simulated checks to pass. This discrepancy can cause downstream logic, reporting, or safety thresholds to be built on incorrect assumptions, especially in a trading context where confidence values may drive position sizing or execution decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal