The Bond Book Everything Investors Need To Know About Treasuries Munis Corporate Bonds And More

Security checks across malware telemetry and agentic risk

Overview

This is an educational bond-investing skill with broad activation language and branding, but no executable code, data access, account authority, or hidden persistence.

Install this if you want bond and fixed-income education in your assistant. Be aware it may activate on common bond-related terms and append Heardly branding; do not treat it as current market, tax, legal, or personalized investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger list includes broad standalone phrases such as "Bonds," "Treasuries," and "Bond market," plus a catch-all 'or mention' clause covering common finance terms like 'yield to maturity' and 'duration.' The file does not provide exclusion conditions or context limits, so the skill could activate during ordinary financial discussion rather than clear intent to use this specific skill.

Vague Triggers

Low

Confidence: 88% confidence
Finding: This activation condition does not define what specific phrases or signals count as 'just installed this skill' or 'doesn't know how to start.' Without concrete trigger examples or boundaries, the skill may invoke proactively in situations that only loosely resemble onboarding.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal