Security audit

Investor Harness

Security checks across malware telemetry and agentic risk

Overview

This is a coherent investment-research prompt stack, but it asks agents to auto-trigger broadly, read personal research files, and persist or mutate workspace state in ways users should review first.

Install only in a dedicated investment-research workspace. Before enabling it globally, review the trigger rules, decide whether biases.md, decision-log.md, coverage files, and archived outputs may be read or written, and set explicit archive/checkpoint locations and cleanup rules. Treat VirusTotal pending status as not decisive; the artifact risk here is overbroad agent control and local persistence, not confirmed malware.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (24)

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The file instructs the agent to initialize a persistent workspace and generate local files, expanding behavior from menu routing into stateful filesystem modification. In an agent setting, hidden persistence can create privacy, integrity, and scope-creep risks, especially when users may believe they are only interacting with a research menu.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The documentation tells the agent to run an installation command during workspace initialization, which crosses from conversational routing into command execution. Any agent instruction to execute shell commands without a distinct trust boundary or explicit confirmation is dangerous because it can alter the environment, install software, or trigger unintended side effects.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The menu encourages creation of persistent personal profile and decision-history files that are not essential to a simple menu-routing function. Persisting investment coverage, biases, and decision logs increases sensitivity of stored data and can expose private strategy information if written automatically or without clear consent.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The postamble instructs the agent to write checkpoint files and update task-state metadata during normal operation, which goes beyond the visible research-output behavior described to the user. This creates undisclosed workspace modification and persistence, which is risky because it can alter local state, leave sensitive traces, and surprise users who expected only conversational analysis.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill mandates archiving full outputs to local paths by default, including fallback writes to ./output, without evidence that the user explicitly approved persistent storage. Mandatory archival increases the chance of unintended data retention, leakage of sensitive research content, and writes outside the user’s expected workflow.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The instructions require modifying active task ledgers and deleting checkpoint files as part of completion logic, which are stateful filesystem operations unrelated to the narrow research task the user asked for. Hidden mutation of tracking files can corrupt workflows, interfere with other tools, or destroy recovery artifacts without explicit approval.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly requires reading a user-local `biases.md` file even though the stated purpose is public-market red-team analysis. Accessing local user files that are not necessary for the task expands the data-access scope and can expose sensitive personal or proprietary information without a clear functional justification.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill is designed to activate from very broad natural-language requests such as 'describe your task to begin,' which can cause it to take over conversations from generic investing-related prompts without explicit user intent to invoke this specific skill. In a prompt-stack environment, ambiguous activation increases the chance of unintended routing, context capture, and execution of downstream sub-skills without clear user confirmation.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing rule states that any described task with no number should be auto-routed via autopilot logic, but it does not define clear boundaries for which requests belong to this skill versus general assistant behavior. This ambiguity can cause overbroad interception of user prompts, unexpected delegation to internal modules, and reduced transparency about why a given action path was chosen.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase “接着上次的” is highly ambiguous and can match ordinary conversation rather than an explicit resume command. In this skill, that ambiguity is more dangerous because the mechanism automatically selects the most recent in-progress task from .task-pulse, which can cause the agent to resume or expose the wrong research workflow and mix task state across sessions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow specifies deleting the checkpoint immediately after completion without any user-facing warning, retention period, or recovery path. If the final output is incomplete, misfiled, or later disputed, the user loses the resumable state and intermediate work product, making recovery and auditability difficult.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Immediate deletion on cancellation irreversibly removes the resume state even though cancellations are often accidental, temporary, or user-initiated for later continuation. In a long-running investment research skill, that can lead to loss of partially collected data, inability to reconstruct prior reasoning, and user confusion about what was discarded.

Vague Triggers

High

Confidence: 90% confidence
Finding: The trigger phrases include very broad greetings and vague help requests, causing the skill to activate in contexts the user may not intend. Overbroad activation increases the chance of accidental routing, unintended workflow execution, and follow-on actions such as file initialization prompts or privileged behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The initialization flow says to immediately generate multiple workspace files without clearly warning the user that local files will be created or modified. In an agent environment, silent or under-disclosed writes are dangerous because users may not understand that persistent artifacts containing sensitive research context are being stored.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installation and initialization sequence lacks a clear risk notice about executing commands and writing to disk. When an agent can interpret these instructions operationally, missing consent and disclosure materially increase the risk of unauthorized environment changes and persistence.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill requires checkpoint and task-state file writes but does not provide an upfront user-facing warning that workspace files will be created or modified. Lack of disclosure undermines informed consent and can cause unintended persistence of sensitive task data in the user’s environment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This section mandates archive writes and task tracking updates without clearly informing the user that outputs and metadata will be persisted to disk. In a research workflow, archived reports may contain sensitive market views, notes, or internal reasoning, so undisclosed persistence materially increases privacy and operational risk.

Vague Triggers

High

Confidence: 95% confidence
Finding: This guidance explicitly prioritizes over-triggering and semantic matching over precision, increasing the chance that ordinary user text will be reinterpreted as a command to invoke skills. In an agent setting, broad autonomous triggering can cause unintended tool/skill execution, workflow hijacking, and responses that ignore the user's actual request, which is a real control-plane security issue.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Several trigger phrases are generic conversational expressions such as asking how something is or which is better, and the file encourages matching them aggressively. In this investment-research skill, that can spur unintended skill invocation from casual discussion, causing incorrect workflow routing and reducing user control over analysis behavior.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger logic is overly broad for an autopilot entry skill: generic phrases like asking what to think about a company can match many ordinary requests and cause this skill to activate unintentionally. In a high-privilege orchestration skill, accidental invocation can misroute tasks, apply the wrong workflow, and suppress clarifying questions, increasing the chance of incorrect or policy-sensitive output.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Multiple route categories use expansive keywords such as industry, event, policy, meeting, file, or vague action requests without clear precedence, exclusions, or disambiguation rules. Because this skill is designed as the default entry point and explicitly discourages follow-up questions, ambiguous inputs can be sent down the wrong chain, leading to flawed analysis, missed compliance checks, or inappropriate handling of uploaded materials.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The automatic mode-selection triggers are broad natural-language phrases like '怎么看' or '深挖某行业', which can easily overlap with ordinary user requests and route the session into the wrong analysis mode. In this investment-research context, misrouting can bias the structure of the response, omit required risk or evidence framing, and produce misleading research outputs even if it does not directly execute code or exfiltrate data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instruction to read `biases.md` occurs without any user-facing notice, consent step, or explanation that personal data may be accessed. Hidden access to local files undermines user expectations and can lead to unauthorized collection of sensitive preferences, internal notes, or other personal context unrelated to the immediate analysis.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The preamble explicitly instructs the agent to read and update persistent files such as `.task-pulse`, `.checkpoint/{id}.md`, and `active-tasks.md`, and to reuse prior task context across sessions. This creates durable storage and resurfacing of user/task data without any visible consent, minimization, retention limit, or scoping rules, which can expose sensitive research targets, prior prompts, or internal work history to later sessions or unrelated tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal