Tradingview Quantitative

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TradingView market-analysis skill whose main risks are relying on financial recommendations and configuring an external API key.

Install only if you are comfortable sending market symbols, news queries, and related analysis requests to TradingView/RapidAPI through the configured MCP service. Keep API keys private, prefer environment variables or protected config files, and treat all buy/sell, options, stop-loss, target-price, and position-sizing outputs as research prompts rather than personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The example presents specific entry, target, stop-loss, and position-sizing guidance as actionable trading advice without any visible risk disclosure, suitability warning, or statement that the content is educational only. In a retail-facing investment analysis skill, this can mislead users into treating illustrative examples as personalized financial advice and encourage risky trading behavior without understanding market, liquidity, or suitability risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This section gives concrete entry points, target prices, stop-loss rules, and implied success rates that could be interpreted as actionable investment advice, yet it does not warn users that the material is informational, probabilistic, and may lead to financial loss. In the context of a trading-analysis skill, users are especially likely to rely on this guidance directly, which increases the chance of harmful real-world decisions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document assigns numeric scores to trading signals and maps them directly to recommendations such as 'Strongly Recommend' and 'Not Recommend' without any disclaimer that the material is educational and not financial advice. In a skill explicitly marketed as a professional investment analysis system, users may treat these outputs as authoritative trading guidance and incur financial losses from overreliance on simplified heuristics.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples present specific securities, prices, scores, and recommendation-style conclusions, which can be read as concrete trading endorsements if consumed by end users. Because the surrounding skill context is a quantitative investment analysis tool, these examples materially increase the chance that users copy the illustrated decisions into real trades without understanding limitations, market changes, or downside risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example provides concrete buy recommendations, entry ranges, target prices, stop losses, and position sizing without any warning that the content is educational, may be stale, and can lead to financial loss. In a trading-analysis skill, users may reasonably rely on this as actionable advice, increasing the chance of unsuitable or harmful trading decisions.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The options example gives a specific strategy, strikes, expiration, profit/loss figures, probability of profit, and management rules without any warning that options can result in substantial losses and may be unsuitable for many users. Because options are complex leveraged instruments, omission of suitability and risk disclosures makes the guidance materially more dangerous than ordinary stock commentary.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow explicitly instructs the agent to get the user's stock holdings list without any prior consent, disclosure, or indication of data source boundaries. Portfolio holdings are sensitive financial information, and silently accessing or inferring them can violate user expectations, privacy requirements, or internal data-handling policies.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The workflow hard-codes `lang='zh-Hans'` and China-specific market defaults for news retrieval without checking the user's locale, market, or consent. This can silently bias analysis toward Chinese-language and China-market sources, causing incomplete or misleading event assessment for users expecting broader or different regional coverage; in a trading workflow, such biased inputs can directly affect investment decisions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The workflow is described in broad terms ('Get financial news for specified countries/regions, analyze impact, and generate structured briefings') without explicit activation boundaries, authorization checks, or user-intent constraints. In an agent setting, this can cause overbroad triggering or misuse for unattended mass collection and synthesis of market-moving content, increasing the risk of unintended actions, excessive tool use, or policy/scope violations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow explicitly produces 'Investment Recommendations' and 'Leader stock recommendations' without requiring any disclaimer, suitability caveat, or instruction to present the output as informational analysis only. In a quantitative trading skill, that omission increases the chance users will treat the generated content as personalized or authoritative financial advice, which can materially influence investment decisions and create compliance, consumer harm, and trust risks.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example trigger phrase, "Help me select strong stocks from China A-shares," is broad natural language that can easily overlap with ordinary user requests and unintentionally invoke this workflow. Because the skill generates investment screening and buy recommendations, overly broad triggering increases the chance of unsolicited or mis-scoped financial guidance being produced in contexts where the user did not explicitly request this specific workflow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly instructs the system to provide buy recommendations, stop losses, and target prices without any visible warning that the output is informational rather than financial advice. In a quantitative trading skill, this materially raises the risk that users treat the output as personalized investment advice, potentially leading to financial harm, regulatory exposure, or overreliance on automated recommendations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal