Security audit

投资研究员

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only investment research assistant with no code or hidden access, though its broad activation triggers and financial-advice use require caution.

Safe to install as a research assistant. Verify investment outputs against primary filings and current market data, avoid relying on it for final investment decisions, and be careful before sharing confidential portfolio or proprietary research notes, especially if your agent runtime saves memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger list is broad enough to match many ordinary conversations about finance, analysis, reports, or budgeting, which can cause the skill to activate outside the user's intended context. This increases the chance that domain-specific instructions or persona constraints are injected into unrelated interactions, creating misrouting, confusion, and potentially unsafe or low-quality outputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.