趋势启动扫描器

Security checks across malware telemetry and agentic risk

Overview

This stock-scanning skill mostly matches its stated purpose, but it includes under-disclosed scripts that can overwrite skill files from network-fetched market data and can import code from hard-coded local paths.

Review before installing. Use the main scanner only if you accept local market-data files being created under the configured .qclaw data path, and avoid running the fetch/rebuild helper scripts unless you first change their hard-coded paths, switch data sources to HTTPS where possible, and are comfortable with them overwriting generated stock-pool Python files. Do not treat the backtest results as reliable investment advice without independently validating the thresholds and holding-period logic.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script prepends an absolute external workspace path to sys.path and then imports executable Python modules from that location. This expands trust beyond the current file, allowing code from a user-specific directory to run implicitly; if that workspace is modified or replaced, the backtest will execute attacker-controlled code during import.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file’s description and printed labels claim different score thresholds than the code actually enforces (`sig['total'] >= 70`). This can mislead operators about what strategy was backtested and saved, causing incorrect trading decisions or invalid audit/research conclusions. In a financial backtesting context, integrity of labels and thresholds is security-relevant because users may trust outputs that do not match the implemented logic.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The report states the strategy buys every Monday, but the implementation backtests every scan file matching the filename pattern without validating that the date is actually a Monday. This creates materially misleading results because users may trust a Monday-only strategy description while the code evaluates a different entry schedule, undermining the integrity of the backtest and any investment decisions based on it.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The function claims to return the price 5 trading days after purchase, but after computing a target date it actually returns the first candle with a date greater than the buy date. This means the holding period is typically one trading day, not one week, producing systematically incorrect performance calculations and potentially severe misrepresentation of strategy profitability.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script fetches data over plain HTTP, allowing a machine-in-the-middle to tamper with the response or inject malicious stock names and codes. Because that untrusted response is later written into a Python source file, network tampering can poison downstream data and potentially create code-injection risk if escaping is incomplete or future parsing changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script fetches stock data over plain HTTP from Eastmoney endpoints, allowing a man-in-the-middle on the network path to tamper with responses or observe requests. Because the downloaded data is then used to build a local stock pool file, an attacker could poison the generated dataset and influence downstream trading or analysis logic.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script writes a generated Python file to a hard-coded path under a skills directory without prompting, validation, or backup safeguards. In an agent-skill context, silently overwriting a Python module can alter downstream behavior, destroy existing local content, or introduce persistence in a location likely to be imported later.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script unconditionally writes a generated Python file to a hard-coded absolute path under a user workspace, with no confirmation, path validation, or safety guard. In an agent/skill context, this can overwrite existing code or modify another skill's contents as a side effect, which is risky because network-fetched data is being turned into executable-source-adjacent content and persisted automatically.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script writes directly to a hard-coded path under a user workspace without confirmation, backup, or path validation. In the context of an agent skill, this can silently overwrite an existing skill file and alter downstream agent behavior, making unintended code or data modification more dangerous than in a standalone utility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal