Security audit

Serenity-framework/白毛股神的供应链瓶颈分析框架

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only investment analysis framework with disclosed high-risk trading guidance, but no hidden code, account access, persistence, or automation.

Install only if you want a high-risk stock-analysis template. Treat outputs as educational research, not personalized financial advice; independently verify facts, consider your risk tolerance, liquidity and tax impacts, and do not connect the skill to brokerage or trading actions without explicit user control.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill gives concrete portfolio-allocation and exit guidance, including recommended position sizing and full-position exits, without any warning that the output is not financial advice or that losses may result. In an investment-analysis context, users may reasonably treat this as actionable personalized guidance, increasing the chance of financial harm from overreliance on the skill.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The file presents the case study in both English and Chinese without indicating user language preference or documenting a required locale constraint. In an agent skill context, forcing bilingual output can reduce usability, increase prompt surface area, and create inconsistent downstream behavior if a caller expects a single-language response format.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal