Crypto Interactive Research Framework - CIRF

Security checks across malware telemetry and agentic risk

Overview

This is a plain-text crypto research framework that saves local workspace files and may use web research, with no evidence of malware, exfiltration, or destructive behavior.

Install only if you want an AI-assisted crypto research workspace that reads its own framework files, may search/fetch public web sources, and saves reports plus metadata under workspaces/. Review saved outputs periodically, avoid placing secrets or private keys in workspace documents, and treat any investment recommendations or position-sizing language as research input rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (29)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The workflow instructs the agent to write a research brief to disk and mutate `workspace.yaml`, which are state-changing side effects not clearly disclosed as part of a user-approved action. In an agent setting, undisclosed local writes and metadata updates can create persistence, alter future workflow behavior, and surprise users who expected only interactive research assistance.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The workflow explicitly instructs the agent to write output files and then mutate `workspace.yaml`, including execution history and metadata, without any explicit user confirmation at the point of action. In a research skill, persistent state changes expand the skill from analysis into filesystem/state management, which can create unauthorized data persistence, overwrite risks, and hidden workflow chaining side effects.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The autonomous path grants broad discretion to choose methods, information sources, and execution strategies with minimal guardrails. In this framework, that can lead the agent to access unnecessary workspace materials or take actions beyond the user's intended scope, increasing the chance of overcollection, unintended disclosure, or unsafe operations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README presents a very broad natural-language activation pattern ('I want to analyze Ethereum's current market position...') that could cause an AI tool to implicitly activate the skill when the user is merely discussing a topic rather than intending to invoke this framework. In assistants that auto-load skills based on semantic matching, this can lead to unintended persona adoption, file access, or workflow execution without clear user consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README states that AI 'automatically manages workspaces' and that outputs are 'auto-saved' to local directories, but it does not prominently warn users that invoking the framework may create folders and write files on the local filesystem. In agentic CLI environments with filesystem permissions, this can cause unexpected persistence of potentially sensitive research data or modifications to the user's workspace without informed consent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The natural-language activation path is broad enough that ordinary user requests like general crypto analysis could implicitly trigger the framework, causing the agent to load additional local files and adopt workflow behavior without a clear, explicit opt-in. In a skill system, this increases the risk of unintended prompt-based activation, scope expansion, and execution of secondary instructions from repository files the user did not knowingly authorize.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to create directories, copy templates, and update workspace files, but it does not require explicit user consent or provide a warning that filesystem state will be changed. This can lead to unauthorized or surprising persistence, unintended overwrites, and trust-boundary violations, especially when combined with broad activation paths.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The workflow handler accepts a generic instruction to 'Match request → Lookup path from core-config.yaml → Execute workflow.yaml' without defining strict trigger conditions, authorization checks, or an allowlisted set of invokable workflows. In an agent framework, this kind of broad activation logic can let ambiguous or adversarial user input cause unintended workflow execution, increasing the risk of prompt-driven control flow abuse or execution of sensitive capabilities.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The initialization flow directs the agent to create directories and write a new workspace configuration file automatically, but it does not require an explicit, informed confirmation that filesystem changes will occur. In an agent setting, silent writes can surprise users, alter project state, and be abused to persist data or create artifacts in the workspace without clear consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The component instructs the agent to update `workspace.yaml` silently and on a best-effort basis after the session ends, without explicit user notice or consent. In an interactive research workflow, silent persistence of session metadata can surprise users, create privacy/integrity issues, and allow unintended state changes that affect later runs without a clear audit point.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow explicitly instructs the agent to write output files 'silent, no console display', which reduces user awareness of filesystem side effects at the time they occur. In an agent skill, undisclosed writes can hide unexpected persistence, overwrite prior artifacts, or normalize covert file modification behavior, especially when combined with templated paths and autonomous execution modes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to modify workspace.yaml silently and on a 'best-effort' basis, meaning persistent state can be changed without contemporaneous user notice or reliable auditability. Silent state mutation is risky because it can alter workflow chaining, metadata, or future execution behavior in ways the user does not explicitly approve, and the content-creation context does not require hidden persistence to function safely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: A silent file write to the output directory is a real transparency and consent problem in an agent workflow. Even if the file is expected for this feature, performing the write without prominently informing the user reduces auditability and can enable unwanted persistence of potentially sensitive research content on disk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Silently updating `workspace.yaml` introduces hidden persistent state that may affect downstream workflow chaining and future executions without the user's awareness. In a research framework, this is more dangerous because the state file can influence later automation, creating hard-to-audit behavior and possible cross-session surprises.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instruction to write files to the output directory 'silent, no console display' removes user visibility at the moment persistent artifacts are created. Silent writes are dangerous because they can conceal data exfiltration, unexpected retention of sensitive research content, or unauthorized artifact generation under the guise of normal workflow execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Silently modifying `workspace.yaml` introduces hidden persistence and statefulness that the user may not expect from a research workflow. Because this file influences future workflow chaining and metadata, undisclosed edits can affect later executions, mask provenance, or create hard-to-detect integrity issues across the workspace.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly instructs the AI to use external research tools proactively whenever facts would help, but it provides no guardrails about user consent, sensitive topic handling, or the possibility that prompts and context may be shared with third-party services. In an interactive research framework, this can cause unintended disclosure of proprietary, personal, or strategy-sensitive information during normal use.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The guide says the AI may write a file if requested, but it does not impose confirmation, scope, or destination restrictions. That omission can lead to unintended modification or creation of user data, especially if the agent interprets vague requests broadly or writes to unexpected locations.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The workflow explicitly states it will deliver research on "any topic defined by the user" without listing prohibited domains, safety boundaries, or escalation rules for high-risk subjects. In an agent skill, this broad mandate can enable misuse for harmful or regulated topics because the workflow optimizes for answering the user's request rather than first determining whether the request should be handled at all.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The workflow is described as a comprehensive project database covering "ALL players in sector," but it does not define clear scope boundaries, triggering conditions, or limiting criteria. In an agent framework, this kind of broad mandate can cause unintended invocation, excessive data collection, or execution in contexts beyond the user's actual request, especially when combined with mandatory multi-step execution directives.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly directs the model to produce investment-oriented outputs such as 'Immediate opportunities,' 'Specific opportunities,' 'entry considerations,' and 'position sizing guidance' without requiring any user-facing caution, suitability check, or financial-risk disclaimer. In a crypto research skill, this increases the chance that generated content will be interpreted as actionable financial advice, especially given the emphasis on execution and timing.

Hidden Instructions

High

Category: Prompt Injection
Content: <!-- OPEN RESEARCH TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence: 95% confidence
Finding: <!-- OPEN RESEARCH TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See open-research/objectives.md PURPOSE: Flexible research output

Hidden Instructions

High

Category: Prompt Injection
Content: <!-- PRODUCT ANALYSIS TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence: 95% confidence
Finding: <!-- PRODUCT ANALYSIS TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See product-analysis/objectives.md LANGUAGE: - Output: Follow

Hidden Instructions

High

Category: Prompt Injection
Content: <!-- PROJECT SNAPSHOT TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence: 93% confidence
Finding: <!-- PROJECT SNAPSHOT TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See project-snapshot/objectives.md LANGUAGE: - Output: Follow

Hidden Instructions

High

Category: Prompt Injection
Content: <!-- QA REVIEW TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence: 94% confidence
Finding: <!-- QA REVIEW TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See qa-review/objectives.md LANGUAGE: - Output: Follow core-config.ya

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal