Finlab

Security checks across malware telemetry and agentic risk

Overview

This FinLab skill is mostly a coherent trading/backtesting guide, but it also teaches agents how to handle broker credentials and place real orders without strong consent or safety boundaries.

Install only if you intentionally want an agent to help with FinLab workflows. Use an isolated Python environment, approve package installs and OAuth logins manually, keep broker credentials out of chats and source files, set upload=False for private backtests unless you deliberately opt in, and never allow live order execution unless you have reviewed and approved the exact orders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill explicitly includes code and steps to connect a broker account and create live orders, culminating in actual order submission. In the context of a documentation skill framed as a guide, this crosses from analysis into high-risk financial action and could cause unauthorized or unsafe real-money trades if an agent follows it automatically.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest describes a comprehensive guide, but the body instructs the agent to 'run it,' install packages, initiate OAuth login, and execute code on the user's behalf. This mismatch encourages autonomous side-effecting behavior beyond passive documentation use, increasing the chance of unwanted system changes, credential flows, or execution of risky financial workflows.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill materially expands from analysis/backtesting into live broker connectivity and real order execution, including creating, updating, and canceling orders. In an agent skill context, this broadens capability from informational analysis to actions that can directly affect user funds, increasing the chance of unsafe automation or misuse.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation includes broker credential setup, personal identifiers, certificate paths, and account passwords even though the stated skill purpose is FinLab analysis/backtesting guidance. This unnecessarily normalizes handling highly sensitive secrets in a broader skill and can prompt users or downstream agents to expose credentials in unsafe contexts.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger language is broad enough to activate on generic trading or stock-analysis requests, not just clear FinLab-specific tasks. That expanded activation surface makes it more likely that users are funneled into this skill's execution-oriented instructions, including installation, OAuth, and potentially live trading flows, when a narrower skill would be safer.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill presents live broker order execution as an optional workflow but does not provide a strong warning that this can place real-money trades or require explicit high-friction confirmation. In a financial context, missing such guardrails is dangerous because an agent or user may treat the steps as routine continuation from backtesting to production.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that strategy performance reports are uploaded by default (`upload=True`) without prominently warning that simulation outputs may be transmitted to an external service. In a quantitative trading context, reports can reveal proprietary strategies, holdings, performance, or market hypotheses, so silent default exfiltration creates a real privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation advertises Line notifications and a `line_access_token` parameter but provides no guidance on secure secret handling or the privacy implications of sending report content through a third-party messaging platform. This can lead users to hardcode tokens or unknowingly transmit sensitive trading information to external systems.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example calls `backtest.sim(position)` without disabling uploads, which normalizes potentially unsafe default behavior and may cause users to transmit strategy results unintentionally. Examples are especially influential in documentation, so omission of `upload=False` materially increases the chance of accidental data disclosure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file documents methods that create, update, and cancel real orders without strong warnings that these operations can immediately place trades or alter pending orders tied to real brokerage accounts. In a skill consumed by an agent, missing cautions and consent boundaries make accidental financial harm more likely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation enumerates sensitive API keys, passwords, certificate data, and personal identifiers but does not provide clear handling guidance such as redaction, least exposure, rotation, or use of secure secret managers. This increases the risk that users copy secrets into source files, notebooks, or agent-visible environments where they can be leaked.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal