Back to skill

Security audit

dexter

Security checks across malware telemetry and agentic risk

Overview

Dexter is a coherent financial research skill, but it installs and runs an external project that users should review before trusting with API keys or private research queries.

Install only if you are comfortable cloning and running the upstream Dexter project. Use least-privilege API keys, keep `.env` private, avoid confidential investment research unless third-party providers are acceptable, and review the upstream repository and dependencies before running `bun install`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill routes some international-stock queries to Tavily web search, which can send user prompts and company/ticker research terms to an external provider, but the top-level skill description does not clearly disclose that behavior. This is a real transparency and data-handling issue because users may reasonably assume all queries stay within the financial datasets workflow unless explicitly warned otherwise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.