Back to skill

Security audit

openInvest

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine investment assistant, but it needs Review because it handles sensitive financial records and credentials without enough user-facing guardrails.

Install only if you are comfortable letting the skill manage a local or remote investment ledger and run an external backend package. Treat API keys, Gmail App Passwords, brokerage screenshots, portfolio data, and committee transcripts as sensitive; prefer pinning the backend package, redacting screenshots, and confirming any cash, holding, trade, config, or automation changes before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill repeatedly instructs the host agent to execute shell commands such as `run.sh doctor`, `run.sh status`, `curl /api/user`, and other state-changing operations, yet no declared permissions are present. This creates a trust-boundary problem: a caller or platform may treat the skill as low-privilege while it actually requires command execution and network access, increasing the chance of unexpected execution, unsafe approval UX, or deployment in environments that did not intend to allow those capabilities.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The tool reference exposes capabilities that extend beyond narrow investment analysis, including reading and modifying user wealth context, scheduling automated event checks, and changing persistent configuration. In an agent skill, documenting these privileged actions without strong scope boundaries increases the chance that an LLM agent will perform sensitive profile or automation changes based on ambiguous prompts, causing unauthorized state changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger scenarios include broad natural-language phrases like "analyze X", "show portfolio", and "how is my P&L", which are likely to overlap with ordinary conversation and cause the skill to activate unexpectedly. Because this skill can invoke shell commands, query local/remote services, and perform trading-related state changes, accidental activation expands the attack surface and may lead to unintended data access or actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The protocol is triggered by very broad natural-language phrases like 'should I buy/sell X' or 'analyze X', which overlap with ordinary investment conversation. That can cause the agent to launch a multi-stage workflow, read/write portfolio memory, or invoke trading-related tooling when the user may have intended only casual discussion, increasing the chance of unintended sensitive actions or excessive tool use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The protocol instructs the agent to persist full committee transcripts to disk, including analysis outputs and portfolio-related context, without requiring explicit user consent or a user-facing warning at the point of storage. In an investment skill, these transcripts can contain sensitive financial holdings, trading intent, and decision history, creating avoidable privacy and data-retention risk if stored automatically or accessed by other local processes/users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding flow explicitly asks the agent to collect a DeepSeek API key and a Gmail App Password through normal conversation, but does not require any clear warning about the sensitivity of those credentials, how they will be stored, or the risks of sharing them in chat. In an agent ecosystem, conversational channels may be logged, retained, or exposed to other tools, so collecting secrets this way increases the chance of credential leakage and downstream account compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example payload places DEEPSEEK_API_KEY, EMAIL_SENDER, and EMAIL_PASSWORD directly into plaintext JSON piped to a shell command, without any adjacent warning about exposure in shell history, process inspection, transcripts, or local files. Even if intended for convenience, this pattern normalizes insecure handling of secrets and can lead to credential disclosure or reuse attacks if logs, debugging output, or command capture are accessible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot-import workflow encourages users to share brokerage screenshots containing highly sensitive financial data, but it provides no privacy warning, redaction guidance, or data-handling minimization advice. In an agent context, this can lead users to disclose account identifiers, balances, and other private details unnecessarily, increasing privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation lists numerous write-capable commands that alter holdings, cash, trades, and records, but it does not present a clear general warning that these commands persistently modify financial state. In an autonomous or semi-autonomous agent setting, insufficient signaling around destructive or state-changing operations raises the risk of accidental portfolio corruption or unintended transactions in the internal ledger.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| `POST /api/events/check` | 手动跑一次 event_watch(拉新闻 + 归一化 + 入库 + 命中触发委员会)。同步 30-90s | — |
| `GET /api/config` | 看可经 API 配置的白名单参数当前生效值(+ 是否被 override + 元信息)| — |
| `PUT /api/config` | 改一条白名单 override(落盘持久、跨进程共读,优先级高于 env;ADR-017)| `{key, value}`,如 `{"key":"verdict.concentration_lens_enabled","value":false}` |
| `DELETE /api/config/{key}` | 删一条 override 回退默认 | — |

**典型流程**:用户说"我打算..."/"刚买了 X"/"我的持仓多了 Y" → 用
`POST /api/trades/record`(带 intended_date 区分计划 vs 已成交)→ 真实成交后用
Confidence
81% confidence
Finding
DELETE /api/config/{key}`

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.