Back to skill

Security audit

Prediction Stack Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed automated trading orchestrator, but it also exposes sensitive local trading-stack status, configs, logs, and process details over an unauthenticated network monitor.

Install only if you intentionally want an automated prediction-market trading system. Before live use, add paper-trading or manual approval gates, set hard spend and loss limits, review all local prompt/config files, and run the monitor only on localhost behind authentication with secrets and logs redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet the specification explicitly instructs reading local files from home-directory paths and invoking SDK/process-related functionality. That mismatch can bypass user expectations and review controls, especially if the runtime infers capabilities from behavior rather than an explicit permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
A description-behavior mismatch is dangerous because operators may approve the skill as a trading orchestrator while it also monitors the host, enumerates installed skills, reads local configs/logs, and exposes status data over an HTTP server. Hidden monitoring and data-exposure behaviors materially expand the attack surface and could leak sensitive configuration, credentials-adjacent metadata, or operational details.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The monitor enumerates local processes and returns PID, CPU, memory, start time, and command-line fragments through unauthenticated API endpoints. This discloses sensitive host telemetry unrelated to a narrow orchestration role and can aid attackers in reconnaissance, targeting running tools, inferring secrets from command lines, or mapping the local environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server reads local configuration files, scores, and logs from user directories and makes them available over HTTP. These files may contain operational details, strategy parameters, file paths, model outputs, and potentially secrets or sensitive market/trading context, creating unnecessary data exfiltration risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill is designed to place automated financial trades via the Kalshi SDK, but the documentation lacks a prominent warning, confirmation model, or safety gating for high-impact external actions. In practice, this can lead users to enable automation without understanding that real orders, losses, and account impact may result.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Referencing credential files and external services without clear privacy/security disclosure increases the chance that users expose sensitive tokens or account configuration unintentionally. Even if the skill only reads expected config locations, this is risky in combination with local file access and potential monitoring/logging behavior.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The API aggregates and serves process metadata, evaluation results, configuration files, and recent logs, and the server binds to `0.0.0.0` with no authentication. In a typical deployment this enables anyone with network access to harvest sensitive local operational data, which could include credentials in command lines or logs, proprietary strategy settings, and internal system state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:159