Privora · A股/港股/黄金/基金多资产量化分析 · 量化回测 · 模拟盘 · 实时告警 · 风险监控 · Python 策略 · AI Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Privora financial-data integration, but users should treat its token and webhook features as sensitive because they can expose portfolio data and change platform state.

Install only with a dedicated least-privilege Privora token, set LG_AGENT_BASE_URL=https://privora.cn explicitly, start with read-only scopes where possible, and require manual confirmation before workflow execution, scheduler changes, alert evaluation, webhook sends, or any portfolio/trading-record mutation. Treat returned holdings, P&L, logs, and webhook payloads as sensitive financial data visible to the agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill claims the public edition excludes high-risk administrative/management operations, yet it exposes workflow and scheduler actions such as execute, redo, hold, resume, dependency replacement, and plugin/webhook configuration that mutate persistent state. This understatement can mislead operators into granting autonomy to an agent for operations that can rerun jobs, alter workflows, or trigger notifications.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The documentation says holdings remain encrypted to the agent, but later examples show the agent retrieving readable holdings and P&L. That inconsistency can cause users to underestimate data exposure and may result in sensitive financial information being surfaced, logged, or forwarded by agents under the mistaken assumption that it remains ciphertext.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: Broad natural-language activation guidance such as inviting users to simply ask the agent for investment tasks increases the chance of accidental invocation from ordinary conversation. In a skill with write, execution, and webhook capabilities, over-broad triggering raises the risk of unintended state changes or external notifications without a deliberate opt-in moment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises alerting and webhook delivery to Feishu, WeChat, and generic endpoints without a prominent user-facing warning that data may leave the platform. Because the skill handles sensitive portfolio, trading, and monitoring data, outbound notifications can become an exfiltration path if endpoints are misconfigured, attacker-controlled, or triggered too broadly.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal