Back to skill

Security audit

HK IPO Snapshot Extractor

Security checks across malware telemetry and agentic risk

Overview

The skill advertises a read-only single-IPO snapshot tool, but the bundled runtime also includes financial scoring, decision workflows, profile/watchlist management, and persistent local state.

Review this before installing as a snapshot-only skill. It appears to be a broader HK IPO decision-support suite: it can store local financial preferences, watchlists, scoring parameters, and review history, and it can generate participation recommendations. Install only if you are comfortable with those local state changes and use HKIPO_HOME to contain its files if you want isolation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (33)

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The profile workflow reads a local YAML file containing sensitive financial preferences and uses it for personalized screening, which goes beyond the declared snapshot-extraction purpose. In an agent setting, access to local user financial data without tight scoping or explicit consent can expose sensitive information to prompts, logs, or downstream consumers and expands the privacy attack surface.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module’s stated purpose is extracting a structured snapshot for a single Hong Kong IPO, but the implementation includes broad market-wide listing, ranking, annual statistics, and feed functions far beyond that scope. In an agent setting, this kind of scope expansion is dangerous because it increases data exfiltration surface, enables unreviewed secondary uses of external data, and makes it easier for downstream prompts or users to repurpose the skill for broader intelligence gathering than intended.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code adds sponsor, bookrunner, broker, and stable-price ranking/history analysis that is not justified by the declared single-IPO snapshot function. This matters because institution-name inputs are forwarded to a third-party service and the skill can be used to profile intermediaries at scale, which meaningfully broadens the operational and privacy/compliance risk compared with a narrow factual snapshot extractor.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The market scroll feed and yearly IPO statistics APIs expose broad market intelligence unrelated to extracting one symbol’s normalized IPO facts. In an agent environment, that extra capability makes misuse easier, increases the amount of remote data the agent can collect, and undermines the principle of least privilege for the declared skill purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file materially deviates from the skill’s declared purpose: instead of extracting a structured Hong Kong IPO snapshot with provenance and quality signals, it implements a standalone IPO allotment prediction engine and CLI. In an agent-skill context, this kind of capability mismatch is dangerous because downstream components may trust the manifest and invoke the skill in inappropriate workflows, causing silent integrity failures, misleading outputs, or policy bypass through undeclared functionality.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring and CLI text explicitly describe a 'winning probability prediction' tool, which contradicts the manifest’s extractor description and confirms that the mismatch is not incidental. This increases risk because operators, evaluators, or orchestration systems may misunderstand the skill’s behavior, leading to incorrect automation decisions and reduced ability to review or constrain what the skill actually does.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI catches requests.RequestException even though requests is not imported and the code uses httpx. If a network failure occurs, the intended handler will not run; instead, evaluating the except clause can raise a NameError or allow the original httpx exception to escape, causing an unhandled crash. In this skill context, the issue mainly affects reliability and error handling around untrusted network input rather than enabling code execution or privilege escalation.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The file implements batch decision, scoring, parameter-version resolution, watchlist handling, and review-history persistence, which materially exceeds the stated purpose of a single-IPO snapshot extractor. In a least-privilege skill model, this creates unnecessary capability expansion and increases the risk of unauthorized analysis workflows, sensitive data accumulation, and side effects beyond user-expected extraction behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Watchlist-based batch processing broadens the command from one-symbol fact extraction into multi-target processing driven by local stored state. That increases the attack surface and can cause unintended access or processing of symbols the user did not explicitly request, which is especially problematic given the skill's narrow declared scope.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Persisting review records and writing artifacts introduces durable side effects unrelated to simple snapshot extraction, creating data retention and provenance risks if sensitive or user-derived results are stored unexpectedly. In the context of this skill, hidden persistence is more dangerous because users would reasonably expect a read-oriented extractor, not a workflow that modifies local state and creates audit/history artifacts.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This command performs profile loading, parameter-version resolution, scoring, and decision-card generation even though the declared skill purpose is limited to IPO snapshot extraction. In an agent setting, this kind of scope expansion is dangerous because it grants the skill decision-making and stateful behavior beyond what the operator or user expects, increasing the risk of unauthorized recommendations, hidden side effects, and misuse of broader runtime capabilities.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The command persists decision-card output into review storage, creating a side effect that is not justified by a snapshot-extractor skill. In an agent environment, unexpected persistence can leak sensitive user inputs or derived assessments, create unauthorized audit trails, and violate least-privilege expectations because a read-oriented extraction tool is silently writing state.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This command handler exposes parameter persistence, activation, and scoring-comparison behavior that is materially broader than the declared skill purpose of extracting IPO snapshots. In an agent setting, this scope mismatch is dangerous because it grants hidden stateful and decision-affecting capabilities that a caller or reviewer may not expect, increasing the risk of unauthorized local state mutation and misleading downstream automation.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code saves and activates parameter versions in a local SQLite store even though the skill is described as a read-oriented IPO snapshot extractor. In a security review, undisclosed write capability is risky because it creates persistent side effects, can alter future behavior across runs, and may let an agent silently change scoring inputs or defaults outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The compare action invokes scoring logic via ScoringService and SnapshotService, which exceeds simple IPO snapshot extraction and introduces an evaluative capability not justified by the stated purpose. In an agent ecosystem, undeclared analysis/scoring functions can be abused to influence decisions or produce outputs that appear endorsed by a narrower, safer skill.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file implements profile viewing and modification behavior that is outside the stated purpose of an IPO snapshot extractor. In an agent skill context, unnecessary capabilities increase attack surface and can let prompts or workflows pivot into local configuration discovery or manipulation that users would not expect from this skill.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The `profile set` path can persistently modify user configuration through `loader.repository.update(updates)`, which is a state-changing capability unrelated to extracting IPO data. In an agent environment, unexpected persistent writes are dangerous because prompt-driven misuse or confused-deputy behavior can silently alter defaults such as budget, risk profile, or output behavior across future runs.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements broad review-history management capabilities including listing, showing, updating, importing suggestions, and exporting records, which materially exceeds the skill's declared purpose of extracting structured Hong Kong IPO snapshots. Scope drift like this increases the attack surface and can enable unauthorized state changes or data handling paths that users and reviewers would not expect from an extraction-focused skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
These code paths update persisted review records and import suggestion files from user-provided input, introducing write and ingestion capabilities unrelated to IPO snapshot extraction. In the context of a narrowly scoped extraction skill, unexpected persistence changes and external file import are dangerous because they can be abused to tamper with stored data or feed malicious/untrusted content into downstream workflows.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The export path writes review records to a caller-supplied output path, adding file-output capability beyond the manifested extraction role. While exporting is not inherently malicious, in a mismatched skill context it expands the ability to exfiltrate or overwrite data through filesystem interactions that users may not anticipate.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The renderer exposes profile, watchlist, review history, suggestions, parameter versions, storage paths, run IDs, and decision/scoring workflow data that exceed the stated purpose of a single-IPO snapshot extractor. If these renderer paths are reachable through the skill, they can disclose sensitive operational metadata and user-specific configuration, enabling unauthorized insight into user behavior and internal system structure.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The profile renderer reveals configuration-oriented data such as budget limits, financing preference, source tracking, config file location, and whether an API token is configured. Even without printing the token value, this leaks sensitive account and environment information beyond snapshot extraction, increasing the attack surface for reconnaissance and targeted abuse.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
These renderers expose unrelated workflow domains including review records, exports, suggestion adoption, parameter tuning, comparison, scoring, and decision cards. In the context of a snapshot-extraction skill, this functionality broadens access to historical trading-like decisions, internal scoring logic, and storage metadata, creating unnecessary data exposure and privilege creep.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This service implements review-history persistence, suggestion import, and parameter-set mutation capabilities that materially exceed the declared purpose of an IPO snapshot extractor. In an agent skill, this kind of scope mismatch is dangerous because it quietly adds administrative and state-changing behavior that could be invoked to alter scoring or review workflows, increasing attack surface and enabling unauthorized configuration changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can accept imported suggestions and activate a newly saved parameter version, directly changing the active configuration used by the system. In the context of a skill that is supposed to extract IPO snapshots, hidden configuration-write capability is especially risky because a crafted suggestion could influence downstream decisions or scoring logic without that power being justified by the declared function.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.