Security audit

Quant Data Platform

Security checks across malware telemetry and agentic risk

Overview

This is not overt malware, but it is flagged for review because it presents randomly generated market data as real trading data.

Review carefully before installing or using. Do not use this as a source of live, historical, fundamental, alternative, factor, or quality data for trading, backtesting, valuation, alerts, or risk decisions unless the implementation is changed to fail closed, require explicit simulation mode, and label every returned payload with its true source. Use a dedicated low-privilege Tushare token and an isolated environment if you test it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The method is documented and branded as returning real-time quotes, but on provider failure or missing dependencies it silently falls back to generated mock market data. In a quantitative trading context, synthetic quotes can drive trading, valuation, alerts, or risk logic with fabricated prices while appearing legitimate, making this more dangerous than an ordinary placeholder implementation.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The tick-data API promises tick-by-tick market data but may quietly return synthetic records if the upstream call fails. Because tick data is often used for execution, slippage analysis, surveillance, and backtesting, fabricated ticks can materially distort trading decisions and downstream models.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: These APIs present sentiment, news, and fundamentals as if they are real datasets, but the implementation generates random placeholder values and fake-looking items. In a trading-data platform, this can mislead users into relying on fabricated alternative and fundamental signals for research or automated decisions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file and skill metadata market the component as a comprehensive quantitative data platform, yet many advertised capabilities are mock, empty, or randomly generated without strong disclosure. This creates a systemic integrity risk: consumers may treat the platform as production-grade market infrastructure and make financial decisions on non-authentic data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.