Back to skill

Security audit

Crypto Interactive Research Framework - CIRF

Security checks across malware telemetry and agentic risk

Overview

This is a transparent crypto research prompt framework whose file and web access are disclosed and aligned with saving local research outputs.

Install only if you are comfortable with the agent reading the skill's Markdown/YAML files, using web search for public crypto research, and writing reports plus workspace metadata under the local workspaces directory. Review outputs before relying on them for financial decisions, and avoid placing secrets, wallet material, or private trading plans in workspace documents or prompts that may be used for web research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (30)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The natural-language activation example encourages very broad requests like simply describing a goal and letting the AI 'activate' an agent on its own. In agentic environments, vague trigger phrases can cause unintended persona/workflow invocation, which may lead the assistant to read additional framework files or begin actions the user did not explicitly authorize.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the AI 'automatically manages workspaces' and auto-saves outputs, but it does not prominently warn that this results in filesystem writes. In tools with write access, this can lead to unexpected file creation, modification, or persistence of sensitive research artifacts without explicit user confirmation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill treats a broad natural-language request as sufficient to trigger reading additional framework files and selecting an agent/workflow automatically. In an agentic environment, this can cause unintended prompt-driven file access and workflow activation on ordinary user requests, increasing the risk of overreach, context confusion, or execution of downstream instructions from other local files without explicit user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workspace creation section instructs the agent to create directories, copy files, and update workspace metadata, but does not require explicit user approval or warn that local files will be modified. In a tool-enabled environment, this can lead to unexpected filesystem changes, accidental overwrites, or persistence of project artifacts initiated from a prompt rather than an intentional user action.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The workflow handler accepts a broad 'Match request' instruction and then resolves a path from core-config.yaml before executing workflow.yaml, but it does not define strict trigger criteria, allowed workflow names, or validation rules. In an agentic system, this ambiguity can let crafted user input activate unintended workflows or cause overly permissive dispatch behavior, especially when the agent is instructed to execute follow-on files automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The initialization sequence instructs the agent to create directories and generate a new workspace.yaml based on user input, but it does not require an explicit confirmation or warning before making filesystem changes. In an agent setting, this can lead to unintended writes or creation of attacker-influenced paths/workspaces, especially if the workspace identifier is not strictly validated and the user may not realize activation triggers modifications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to update an existing workspace.yaml with cached session variables whenever values differ, without first warning the user that an existing configuration file will be modified. Silent mutation of configuration files can overwrite user-managed settings, create integrity issues, and be abused by prompt-driven state changes that persist beyond the current session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to update `workspace.yaml` silently and on a best-effort basis, without an explicit user confirmation step at the time of modification. Background state mutation can surprise users, create unauthorized persistence of session metadata, and make it harder to distinguish user-requested saves from implicit tracking writes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs the agent to write output files 'silent, no console display', which removes transparency around filesystem side effects. Even though the target path is constrained to the workspace output directory, undisclosed writes can surprise users, overwrite expected artifacts, and make it harder to detect misuse or accidental data placement in an agentic environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow directs the agent to modify workspace.yaml silently and on a 'best-effort' basis, which creates hidden state changes that can affect later workflow chaining and persistence without clear user awareness. Silent state mutation is risky because it can alter execution history, metadata, or future behavior in ways the user did not explicitly approve and may not notice.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The component instructs the agent to write output files and update workspace state 'silent' or 'best-effort' without requiring explicit user-facing disclosure or confirmation. In an agentic system, undisclosed persistence can surprise users, create unintended data retention, and enable tampering with workflow state that affects later executions, especially when workspace files are reused downstream.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to write output files silently with no console disclosure, which removes an important transparency and consent signal for the user. In an agent framework that can access a workspace, undisclosed file creation can be abused to persist misleading artifacts, overwrite expected outputs, or stage follow-on actions without the user realizing a state-changing operation occurred.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow directs the agent to modify workspace.yaml silently and on a best-effort basis, without notifying the user that persistent workspace metadata will be changed. Silent state mutation is risky because it can alter workflow history, chaining behavior, or future execution context in ways the user cannot easily observe, creating persistence and integrity concerns across sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly tells the AI to use external tools like WebSearch proactively, without requiring prior user consent or notification that data may be sent to external services. In a research framework, users may share sensitive strategy, financial, or proprietary crypto information during brainstorming, so silent network requests can leak prompts or context outside the local interaction boundary.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The guide allows the AI to write a file if requested, but does not require confirmation, scope restriction, or warning that user data or local files may be modified. This can lead to accidental overwrites, persistence of sensitive brainstorming content, or writing to unintended paths if the surrounding system exposes file tools.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The workflow is described as applicable to 'any topic' with flexible, user-defined scope, but it does not define meaningful activation boundaries or topic restrictions. In an agent skill, this broad framing increases the chance the workflow will be invoked for unsafe, out-of-domain, or policy-sensitive requests, especially when paired with mandatory downstream execution steps that pull in additional instructions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The workflow description promises coverage of "ALL players in sector" with "systematic categorization and evaluation," but provides no explicit scoping limits, exclusion criteria, or termination conditions. In an agentic research framework, this can drive uncontrolled breadth, excessive data gathering, and pressure the agent to overreach into ambiguous or unsafe sources, increasing the chance of prompt-following errors, resource abuse, and low-quality or misleading output.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template explicitly frames output as investment decision support and asks for immediate opportunities without any financial-risk warning or suitability guardrails. In a crypto research skill, this can push the agent toward personalized or overly actionable financial guidance that users may rely on for real monetary decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section goes beyond analysis into executable recommendations, including specific opportunities, entry considerations, position sizing, and risk management, while providing no warning or restriction. In a high-volatility crypto context, such instructions materially increase the chance of users acting on unsafe or unsuitable advice and suffering financial loss.

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
SESSION SUMMARY TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {brainstorming-guide} (./framework/guides/brainstorming-guide.md)
Confidence
90% confidence
Finding
<!-- SESSION SUMMARY TEMPLATE INSTRUCTIONS: - Recall & Apply: {brainstorming-guide} (./framework/guides/brainstorming-guide.md) - Validation: See brainstorm/objectives.md PURPOSE: Capture brainstorm

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
INVESTMENT RESEARCH BRIEF TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence
90% confidence
Finding
<!-- INVESTMENT RESEARCH BRIEF TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See create-research-brief/objectives.md - Usage: Fill

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
PROJECT RESEARCH BRIEF TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence
89% confidence
Finding
<!-- PROJECT RESEARCH BRIEF TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See create-research-brief/objectives.md - Usage: Fill all

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
OPEN RESEARCH TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence
90% confidence
Finding
<!-- OPEN RESEARCH TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See open-research/objectives.md PURPOSE: Flexible research output

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
PRODUCT ANALYSIS TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence
97% confidence
Finding
<!-- PRODUCT ANALYSIS TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See product-analysis/objectives.md LANGUAGE: - Output: Follow

Hidden Instructions

High
Category
Prompt Injection
Content
<!--
PROJECT SNAPSHOT TEMPLATE
INSTRUCTIONS:
- Recall & Apply: {output-standards} (./framework/guides/output-standards.md)
Confidence
96% confidence
Finding
<!-- PROJECT SNAPSHOT TEMPLATE INSTRUCTIONS: - Recall & Apply: {output-standards} (./framework/guides/output-standards.md) - Validation: See project-snapshot/objectives.md LANGUAGE: - Output: Follow

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.