Behavioral Finance

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it presents random or hardcoded trading analysis as actionable financial signals and backtest results.

Install only if you treat it as a simulator or educational example. Do not use its outputs for real trading, automated execution, portfolio sizing, or risk decisions unless it is changed to use verified market data, reproducible calculations, and explicit demo labeling.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The skill advertises behavioral-finance detection and sentiment analysis, but core outputs are generated with random values via numpy rather than from real market inputs. In a trading-analysis context, fabricated signals can mislead downstream agents or users into making financial decisions based on non-existent evidence, creating a materially dangerous integrity failure.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The backtest function claims to perform a strategy backtest but returns fixed, hard-coded performance metrics. In an investment skill, presenting fictional profitability, drawdown, and Sharpe values as real backtest results can induce unjustified trust in the strategy and lead to harmful financial decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal