Tp2
High
- Category
- MCP Tool Poisoning
- Confidence
- 85% confidence
- Finding
- Mixing characters from multiple Unicode scripts in a single identifier is a common technique to create visually ambiguous tool names.
Security audit
Privora · A股/港股/黄金/基金 多资产 量化分析 · 量化回测 · 模拟盘 · 实时告警 · 风险监控 · Python 策略 · AI Agent
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed Privora financial-workflow integration that can read data and perform scoped platform actions, so it is suitable only with a least-privilege token.
Install only if you intend to connect an AI agent to Privora. Use a dedicated token with the minimum scopes needed, start read-only where possible, require confirmation for workflow execution, scheduler changes, portfolio/trading writes, and webhook sends, and rotate the token if exposed.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 95% confidence
- Finding
- The manifest markets the skill as a financial data backend, but the documented surface includes generic remote skill discovery and execution pathways plus broad platform operations. That mismatch can cause an operator or agent to overtrust the integration and use a token assuming read-mostly data access when it can also trigger workflows, mutate state, and invoke external effects.
Description-Behavior Mismatch
Medium
- Confidence
- 94% confidence
- Finding
- The top-level description materially understates the breadth of platform-management features exposed, including process execution, scheduler/job control, datasource and dashboard mutation, subscriptions, and webhook-triggering paths. Under-disclosure of these capabilities increases the chance that users grant tokens or install the skill under a false assumption of passive data access, leading to unauthorized state changes or external notifications.
Intent-Code Divergence
Medium
- Confidence
- 97% confidence
- Finding
- The security notes claim the public skill is limited to read-only and non-destructive writes, yet the documented API includes workflow execution, scheduler instance state transitions, pipeline/job updates, and outbound webhook triggers. This inconsistent safety framing can mislead operators into allowing autonomous use of actions that create persistent changes or external side effects.
VirusTotal
64/64 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.