Shadow Trading Dashboard

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for maintaining a local simulated trading dashboard, with disclosed local file updates and no evidence of hidden code, credentials, network access, or destructive behavior.

Install only if you want an agent to maintain the local trade/ dashboard files. Review generated changes to prices, quantities, fees, cash, equity, and history before relying on the simulated portfolio dashboard.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to read and write multiple local trade records and dashboard artifacts, but it does not disclose to the user that invoking the skill can mutate persistent portfolio data. This creates a meaningful integrity risk: a user may ask to view or discuss the dashboard and unintentionally trigger file modifications across several trading records.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The workflow directs running `open` on a local HTML file, which launches a browser and renders local content, without warning the user that an external application will be started. While opening a local dashboard is expected in context, silently launching applications or local HTML can still surprise users and may execute active browser-side content embedded in the file.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal