Back to skill

Security audit

Portfolio Monitor | 投资组合监控

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only portfolio reporting skill that handles sensitive holdings but does not include hidden code, credential access, trading authority, or destructive behavior.

Install only if you are comfortable providing portfolio details for analysis. Confirm what external data sources the agent will query, keep any recurring weekly checks under your control, and treat buy, sell, or allocation suggestions as research input rather than professional financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary investment-related conversation, which can cause the skill to activate when the user did not explicitly intend portfolio monitoring. In this context, unintended activation is risky because the skill is designed to process sensitive portfolio holdings and may initiate data collection or analysis workflows on private financial information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that portfolio, price, financial-report, and news data may be obtained via external APIs and scraping, but it does not warn the user that portfolio-related information could be transmitted to third parties. Because holdings data can reveal sensitive financial positions and behavior, silent transmission to external services creates a meaningful privacy and data-handling risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.