Back to skill

Security audit

investoday-hotspot-event-decoding

Security checks across malware telemetry and agentic risk

Overview

This is a finance research helper that produces theme-level market event reports using a declared data dependency, with only minor routing ambiguity in its trigger phrases.

Reasonable to install if you want theme-level market event summaries. Confirm you trust the investoday-finance-data dependency, avoid entering private or non-public financial information, and treat the output as research context rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad natural-language phrases like '最近有什么重要事件' and '这波热点意味着什么', which are generic enough to match many finance-related user requests beyond the intended scope. This can cause unintended skill activation, leading the agent to route users into this workflow when they may have wanted a different tool or a narrower analysis path.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation scenarios rely on broad user intents like asking what an event 'means' or what happened 'recently,' without sufficiently strict exclusion criteria. In an agentic system, this ambiguity increases the chance of accidental invocation and misrouting, which can surface irrelevant financial analysis or bypass more appropriate domain-specific skills.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.