Agent Shark Mindset

Security checks across malware telemetry and agentic risk

Overview

This skill should be reviewed because it can autonomously post trading signals and promotional content to Telegram using bot credentials.

Install only if you intentionally want scheduled automation that can publish market-related posts and VIP signals externally. Use test/private channels first, give the Telegram bot the minimum channel permissions, keep financial-signal and promotional posts in manual-review mode where possible, verify the exact cron jobs before enabling them, and periodically inspect or clean the CASHFLOW, memory, STRATEGY, and .learnings files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill’s declared scope centers on market intelligence and Telegram delivery, but it also directs the agent to generate promotional content and operate growth/payment funnel components across X, Reddit, YouTube, Google, landing pages, and payments. This scope expansion increases the chance of unauthorized external actions, policy drift, and unintended data disclosure because the skill encourages autonomous behavior on platforms not clearly declared or permission-bounded.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The file states strict network limits and forbidden source categories, but later says the agent may fall back to generic web search if optional skills are absent. That contradiction weakens trust boundaries and can cause the agent to access undeclared or lower-integrity sources, defeating the intended restriction model.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The cron job explicitly authorizes autonomous publication of free and VIP trading signals to Telegram channels, which goes beyond passive market intelligence and crosses into external action with financial consequences. In the context of an autonomous agent, this is dangerous because it can broadcast investment advice or promotional content without human review, creating abuse, compliance, reputational, and user-harm risks.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This cron authorizes the agent to autonomously generate and publish promotional content and VIP upsell messages, which is a growth-marketing capability rather than a narrowly scoped intelligence function. That mismatch increases risk because the agent can perform external persuasion and spam-like actions automatically, especially under an aggressive tone mandate designed to maximize conversion.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README states that the skill will automatically create required files on first run, but gives no warning about workspace modification, scope, or safety boundaries. In an autonomous agent context, silent file creation can lead to unexpected persistence, overwriting of user data, or creation of operational artifacts that the user did not explicitly authorize.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs autonomous posting to Telegram and other public channels without a clear, prominent warning that external publication transmits generated content and possibly derived internal insights outside the workspace. This can lead to unintended disclosure, reputation damage, or spam-like behavior if the owner has not explicitly approved automated publishing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill requests several Telegram-related secrets and account identifiers but does not clearly warn about credential sensitivity, account takeover risk, or the consequences of bot/admin misuse. In combination with autonomous posting, these credentials enable broad external actions if mishandled or over-permissioned.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions permit sending Telegram messages and writing local state and memory files, but the documentation does not clearly warn users that the skill will take external actions and persist data. This lack of transparent disclosure is risky because operators may install it expecting analysis, while the cron actually performs autonomous posting and local data modification.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The audience-growth job includes autonomous publishing and VIP promotion, but the file presents this operationally rather than as a clearly flagged behavior requiring user awareness. Because the agent is instructed to optimize engagement and conversion, undisclosed automatic posting is more dangerous in this context than a simple draft-generation skill.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The weekly audit reads accumulated tracking and content data, writes a strategy file, and sends a report via Telegram without a clear privacy and system-impact warning in the documentation. While less severe than signal publishing, it still creates data-handling and disclosure risk because users may not realize operational data will be read, summarized, stored, and transmitted externally.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal