Pine Script Developer

Security checks across malware telemetry and agentic risk

Overview

This is a Pine Script development aid with local template generation only, though its optional JavaScript helper should be used carefully because project names are not path-sanitized.

Installers should know this skill includes more than documentation: the JavaScript helper can create and overwrite local project files when run. Use it only in a workspace you control, avoid untrusted or path-like project names such as ../ values, and review generated trading strategy code before using it in TradingView.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The project creation routine writes multiple files and directories immediately based on a caller-supplied project name, with no confirmation, dry-run mode, or path safety checks. In an agent setting, this can cause unintended filesystem modification and, because 项目名称 is joined directly into a path, may permit writing outside the intended project directory via path traversal values such as '../...'.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal