Vincent - Trading Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for automated trading, but it can place real trades using wallet/API credentials and lacks enough guardrails for that level of authority.

Install only if you intentionally want an agent to manage live trading. Before connecting credentials, verify the CLI package and version, restrict wallet/API permissions, set strict spend and position limits, require human approval where possible, test with minimal size or simulation first, and confirm how to pause, cancel, or archive active strategies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill promotes autonomous trading and automatic order execution, but it does not present a clear, explicit warning to users about financial loss, execution risk, slippage, liquidation, or the consequences of unattended strategy/rule activation. In a trading automation skill, omission of these warnings materially increases the chance that users enable risky behavior without informed consent, especially because the document normalizes always-on monitoring and automated execution workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal