Security audit

Longbridge Skills

Security checks across malware telemetry and agentic risk

Overview

This package is mostly a finance skill bundle, but it ships overbroad local agent permissions, hard-coded session cookies, and a remote reinstall path that can modify agent skill directories.

Review before installing. Use a pinned or locally inspected copy instead of piping remote scripts to bash, remove .claude/settings.local.json and .worktrees from any installable package, revoke/rotate any exposed iwencai session material, and only enable account, order, portfolio, or watchlist workflows after confirming the Longbridge OAuth scope and per-action confirmation behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (189)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This permission block grants capabilities far beyond any narrowly scoped skill need: environment dumping, broad git/gh access, arbitrary Claude invocations, and multiple `claude -p --dangerously-skip-permissions` executions. In combination, these allow bypass of normal guardrails, access to account/context data, and execution of secondary agents that can perform unintended actions with the user's authority.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The configuration embeds live-looking authenticated session cookies and bearer-like session material directly into allowed `curl` commands to access remote iwencai resources. This exposes secrets in the skill itself and authorizes external requests as the user, creating immediate risk of credential leakage, account misuse, and unauthorized data access/downloads.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill presents itself as prompt-only and indicates login is not required, yet its workflow explicitly instructs access to portfolio holdings and historical price data when a user is logged in. This mismatch can mislead users and orchestrators about the data sensitivity of the skill, increasing the chance that account data is accessed without a clear expectation or consent moment.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: Marking the skill as 'requires_login: false' is incomplete or misleading because the documented behavior includes analyzing actual logged-in portfolio data. Even if login is optional, the metadata understates privacy sensitivity and can cause the platform or user to underestimate when personal financial data may be processed.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill describes an event-driven investment workflow that includes 'position sizing' in the front matter and overview, while later output constraints say not to provide entry timing, stop-loss, target prices, or holding-period recommendations. This inconsistency can cause an agent to generate actionable trading guidance despite the disclaimer, which is risky in a financial-trading context because users may rely on it as personalized or operational investment advice.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The manifest explicitly states `requires_mcp: false`, but the body instructs the agent to fall back to an MCP server when the CLI is unavailable. This creates a policy/configuration mismatch that can cause the agent to invoke an alternate execution path that operators did not intend to permit, potentially exposing data or capabilities through whatever MCP tools are available at runtime.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill markets itself as providing Stock Connect northbound/southbound flow analysis, but its own workflow admits exact totals may be unavailable and then substitutes single-stock capital-flow proxies. This can mislead downstream users into treating inferred or unrelated liquidity metrics as official cross-border flow data, creating a data integrity problem in an investment-analysis context.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The output template presents a 'Stock Connect Flow Summary' with concrete net-flow values even though the workflow may derive those figures from proxy signals such as large-order analysis and AH premium behavior. In a financial decision-support skill, this formatting can cause users or agents to overtrust estimates as authoritative market data, leading to materially incorrect conclusions or trading actions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill presents itself as read-only account viewing, but it requires OAuth trade scope and exposes trading-adjacent functionality such as max-buy/max-sell quantity and margin calculations. That mismatch can mislead users or higher-level agents into granting broader account permissions than expected, increasing the blast radius if the skill is misused or chained with other capabilities.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill explicitly frames itself as 'not investment advice' while also instructing the agent to generate action recommendations and handle add/reduce/stop-loss style decisions. That contradiction can cause the agent to provide individualized trading guidance under the guise of neutral monitoring, which is risky in a finance context and may bypass policy or compliance expectations.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest advertises the skill as read-only (`risk_level: read_only`, `requires_login: false`, `tier: read`) while the body explicitly supports mutating operations such as create, add, remove, sort, and delete. This metadata mismatch can cause downstream policy engines, reviewers, or users to authorize or auto-install the skill under a lower-risk classification than it actually deserves, increasing the chance of unintended state-changing actions.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The manifest labels the skill as `read_only` and `tier: read`, but the documented workflow explicitly supports creating topics and replies. This mismatch can mislead policy engines, reviewers, or users into granting or invoking the skill under a lower-risk classification than its actual capabilities, increasing the chance of unintended posting actions.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that position data must not be read without user authorization, but elsewhere instructs the agent to automatically read positions, watchlists, and account assets by default. This creates a real privacy and authorization flaw: an agent following the workflow could access sensitive brokerage data without clear user consent, exposing holdings, balances, and watchlist contents beyond the user's immediate request.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The document explicitly instructs the agent to use web search for precedent transaction data, expanding execution beyond the described Longbridge CLI workflow into uncontrolled external browsing. That creates a real data-exfiltration and scope-creep risk because the skill may access third-party sites, transmit query context, and ingest untrusted content without any explicit authorization or guardrails.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The metadata labels the skill as `read_only`, but the documented `ipo orders` and `ipo profit-loss` capabilities extend beyond passive market-data retrieval and introduce account-linked trading functions. This mismatch can cause unsafe routing, over-trust by users or orchestrators, and accidental invocation of account-affecting operations under a supposedly low-risk skill.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a market-data tool, but its scope includes IPO order-related functionality that goes beyond information retrieval into transactional behavior. That scope creep is dangerous because users, policy engines, or automated agents may invoke the skill assuming it is informational only, while hidden or adjacent commands can reach authenticated trading flows.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly forbids reading position data without user authorization, but elsewhere directs the agent to automatically call `longbridge positions` during the workflow and to use positions as a default data source for cost basis. That contradiction can cause unauthorized access to sensitive financial account data, especially if an agent follows the operational steps rather than the guardrail text.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The spec explicitly instructs the agent to invoke a raw MCP action (`mcp__longbridge__alert_add`) from within a valuation skill, which expands scope from read-only analysis into state-changing behavior. Even though the route is phrased as a follow-up user request, mixing read-only financial analysis with direct alert creation increases the chance of unintended side effects, permission boundary confusion, and tool misuse if routing or confirmation logic is weak.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document explicitly forbids reading holdings without user authorization, but later workflow sections default to automatically calling positions, watchlist, and assets commands. This creates a privacy and consent violation: a user asking for a general signal analysis could unintentionally trigger access to sensitive brokerage data, including portfolio composition and account value.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The wildcard shell permission at this location permits a command pattern with attacker-controlled trailing arguments, weakening command scope and making abuse easier if the skill is triggered in unexpected contexts. While not as severe as the authenticated network and permission-bypass issues, broad shell globs expand the attack surface and can enable execution of unintended command variants.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger list includes the standalone phrase "price alert," which is broad enough to match informational or ambiguous user queries and may activate a mutating skill unexpectedly. Although the skill includes a preview-and-confirm safeguard, unintended invocation can still expose account data or steer the conversation into an unnecessary mutation flow, increasing the chance of user confusion or mistaken confirmation.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list is very broad and includes generic terms like 'anomaly', 'volume spike', 'price spike', and common Chinese market-commentary phrases. This can cause over-triggering, where the skill activates for ordinary finance discussions and steers the agent into using this skill in contexts the user did not intend, reducing routing precision and potentially suppressing more appropriate skills.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill describes using actual Longbridge portfolio data without a prominent warning or consent checkpoint before accessing positions and historical account-linked data. For a financial-analysis skill, this context increases sensitivity because holdings and transaction-related data are personal financial information, so silent or implicit access creates privacy and trust risks.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad phrases like '好生意', 'value investing', and '长期持有' that can match ordinary financial discussion rather than an explicit request for this specific skill. That can cause unintended invocation, leading the agent to route users into a stock-analysis workflow unexpectedly and increasing the chance of inappropriate financial-analysis responses in unrelated contexts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger text is broad enough to activate on many generic investing questions, not just calendar-specific requests. That can route users into a workflow that automatically pulls holdings/watchlist context and produces unsolicited event and opportunity analysis, increasing the chance of over-collection and misaligned responses.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal