Security audit

Chanlun Analysis Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock technical-analysis skill, but users should treat its trading suggestions as educational rather than financial advice.

Install only if you want a technical-analysis assistant for Chanlun-style market study. It does not appear to trade, access accounts, or handle credentials, but it can produce specific buy/sell and position-sizing suggestions, so verify market data independently and do not rely on it as personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes stock analysis, buy/sell point generation, and trading decision support, but does not include any disclaimer that outputs may be incorrect, incomplete, or not financial advice. In a skill designed to influence investment actions, this omission increases the chance that users over-trust model output and make harmful financial decisions based on speculative or automated analysis.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list is extremely broad and overlaps with ordinary financial discussion, so the skill may activate unintentionally during general market conversations. In a skill that emits concrete trading analysis and recommendations, unintended invocation can steer user decisions without deliberate consent, increasing risk of harmful or unsuitable financial guidance.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill gives actionable buy/sell guidance, entry zones, stop-losses, and timing cues without a prominent warning that outputs are informational only and not financial advice. In the context of retail trading, this can materially influence asset decisions and cause direct financial loss, especially when paired with broad triggers and authoritative framing.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The shortcut triggers are single common finance words such as "/买点", "/卖点", "/背驰", and "/画图", with no explicit namespace, delimiter rules, or disambiguation logic. In a conversational financial assistant, these broad triggers can fire unintentionally during normal user dialogue, causing the agent to enter specialized analysis modes or produce outputs the user did not explicitly request.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document gives specific trading rules, position sizing, stop-loss thresholds, and buy/sell signals, which can be directly acted on by users, yet it does not clearly state that the material is educational only and not financial advice. In a skill context, this omission increases the chance that users will treat the guidance as authoritative investment instruction and suffer financial loss from unsuitable or overconfident trading decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.