Back to skill

Security audit

Wind Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide Wind financial data, but it also runs background self-updates and stores API keys in files, so it needs review before installation.

Review this skill before installing if you require strict change control. It will execute local Node.js code, contact Wind endpoints, store a Wind API key if configured, and may update itself in the background. Disable or remove the updater if you do not want installed skill code to change without a direct command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The CLI silently spawns a detached background update-check process on successful calls, copying and executing a local script outside the user’s immediate command flow. Even though intended for auto-update hygiene, hidden subprocess execution expands the skill’s behavior beyond financial queries and creates a supply-chain and user-consent risk if the update script or skill directory is tampered with.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script performs unattended self-update behavior that can modify the installed skill on disk by invoking package-management commands in the background. For a skill advertised as read-only financial data access, this is an unnecessary capability expansion and creates a supply-chain and integrity risk if the configured source, lock metadata, or upstream repository is compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code calls external `git` and `npx skills` tooling to inspect remote repositories and install/update content, which is unrelated to the declared financial-query purpose of the skill. Invoking external package-management and VCS operations increases attack surface and can be abused for supply-chain compromise, unintended code retrieval, or environmental side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is set to auto-invoke while declaring child process execution, filesystem read/write, and network access, which creates a meaningful risk of unreviewed code execution and side effects. In this skill, the instructions explicitly direct the agent to `cd` into the skill directory and run a Node CLI, making the elevated capabilities operational rather than merely theoretical.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest exposes a tool named `natural_language_get_edb_data`, whose broad natural-language scope can make agent routing and policy enforcement less precise. In a finance skill, this increases the chance that loosely related or out-of-scope economic queries are sent to a powerful backend without clear parameter constraints, potentially causing unintended invocation, over-collection of data, or bypass of narrower tool-selection safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup-key command writes the API key directly to disk in a global config file or local skill config without an in-flow warning, confirmation, or secure-secret-store integration. Persisting credentials this way increases the chance of accidental disclosure through backups, repository inclusion, local malware, or multi-user system access, especially for the skill-local JSON file.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The header comment explicitly states that the CLI launches this updater detached and that failures never block normal data calls, meaning file-changing update operations occur silently in the background. Silent modification without a direct warning or consent mechanism is risky because users may not realize the skill can change itself or fetch new code from external sources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/cli.mjs:846

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/update-check.mjs:402

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/cli.mjs:508