Back to skill

Security audit

Data Hub

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its data-sharing purpose, but it contradicts its “in-memory only” claims by persisting sensitive risk-audit data to arbitrary filesystem paths.

Install only if you are comfortable with risk-audit data being written to disk when snapshot_path or snapshot helpers are used. Avoid providing sensitive account details, constrain where snapshots can be stored at the application level, and review or patch the snapshot functions before using this in a trading environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation indicates file read/write capabilities without declaring corresponding permissions, which creates hidden capability risk and weakens trust boundaries for agents using the skill. In a multi-agent trading system, undeclared filesystem access can enable unintended data exfiltration, state tampering, or persistence beyond the advertised in-memory scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims it is not for persistent storage, yet the documented behavior includes saving and loading risk_audit snapshots from the filesystem. This mismatch is security-relevant because downstream agents and orchestrators may rely on the documented non-persistent behavior when handling sensitive trading or risk data, leading to accidental retention of sensitive state on disk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Declaring the skill as non-persistent while documenting persistent risk_audit snapshots creates inconsistent security expectations and can cause operators to store sensitive risk state unintentionally. Even if only one namespace is persisted, that can reveal account protection status, drawdown, and operational constraints that should remain ephemeral unless explicitly approved.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The namespace is described as an in-memory shared data hub and explicitly 'NOT for persistent storage', yet it exposes save/load snapshot helpers that write to and read from disk. This creates an unintended persistence channel for sensitive risk-audit data and breaks the stated trust boundary of the skill, increasing the chance of data leakage, stale state reuse, or misuse by other agents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The save_snapshot and load_snapshot functions accept arbitrary filesystem paths and perform direct read/write operations without validation, sandboxing, or allowlisting. In an agent environment, this can be abused to overwrite application files, exfiltrate readable local files, or persist sensitive internal state outside the intended in-memory data plane.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.