Back to skill

Security audit

Statistical Arbitrage 統計套利

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible finance backtesting tool, but its executable script is obfuscated and does not match the configurable behavior promised in the documentation.

Review before installing. Run it only in an isolated Python environment, verify or replace the obfuscated script before relying on results, and do not assume it will analyze the tickers or parameters you request until the CLI behavior is fixed. Treat all output as informational, not investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script contains a hard-coded absolute path to a specific user's Desktop directory, which can expose local environment details and encourages unsafe file-handling patterns. In an agent skill context, writing outputs to implicit host paths without user consent can lead to accidental data disclosure, overwriting files, or privacy issues if later code begins using this path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.