Back to skill

Security audit

Zettaranc Perspective

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis persona skill is mostly coherent, but it asks for sensitive token handling, silent environment checks, local persistence, and stateful trading workflows that deserve manual review before installation.

Install only if you are comfortable with a finance skill that may ask for a market-data API token, read/write local configuration, save reports and trade records, and remember investment preferences. Prefer running it in a contained workspace, avoid pasting secrets into chat unless you trust the runtime, and treat all trading output as educational decision support rather than instructions to trade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill presents itself as 'analysis only' while elsewhere authorizing persistent writes such as environment configuration changes and trade-record creation. This mismatch is dangerous because it lowers user suspicion and can lead to unauthorized state changes on the host under the cover of a read-only advisory tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to modify local environment configuration by writing credentials and mode settings into configuration files. An advisory skill should not silently gain host-side persistence capabilities, because this creates opportunities for credential mishandling, unauthorized configuration drift, and abuse if the skill is triggered in the wrong context.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill can create transaction records even though it is described as an analysis framework rather than an account or journaling system. Persistent record creation expands the trust boundary and may capture sensitive financial behavior without sufficiently explicit consent or data-governance controls.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document disclaims investment advice while requiring concrete operational rules such as entry, stop-loss, and take-profit guidance. This contradiction can mislead users and downstream systems about the nature of the output, increasing legal, compliance, and safety risk around financial decision-making.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to write structured analysis to local Markdown artifacts and expose an absolute file:// path to the user. That expands the skill from advisory analysis into local filesystem interaction, which can reveal host-specific directory structure and create unintended persistence of potentially sensitive financial content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Providing a host environment's absolute file path is unnecessary for the stated investment-analysis purpose and leaks environmental details such as usernames, workspace layout, and local storage conventions. Those details can aid fingerprinting, social engineering, or chaining with other environment-aware attacks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file specifies concrete CLI operations to add/remove tracked stocks, sync market data, and generate/save review reports, which goes beyond a read-only advisory skill and implies operational capabilities. In an agent runtime, this expands the action surface from answering questions to performing stateful portfolio-tracking workflows, creating risk of unauthorized actions, data persistence, and confusing users about what the skill is allowed to do.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The document describes feeding review results back into Guardrails, Error Recovery, and the knowledge base, which is a self-modifying control-loop pattern. If implemented by an agent, this can weaken safety boundaries over time, allow unreviewed policy drift, and let low-quality or manipulated market outcomes influence future constraints and recommendations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to silently inspect local environment configuration without informing the user. Hidden inspection of local settings violates transparency and least-surprise principles, and in a hostile skill context it normalizes covert host reconnaissance.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill asks users to paste an API token and then store it, but it provides no meaningful privacy warning, secret-handling guidance, or protection model. This is dangerous because conversational channels are poor places for credential collection, and storing tokens in plain configuration materially raises the risk of accidental disclosure or reuse by other tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates saving structured output locally without warning the user that data will persist in the workspace. Because the content may include portfolio diagnostics, screening results, and trading-related information, silent persistence increases the risk of accidental retention, later disclosure, or cross-context leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance says certain user profile and trading-preference data should be retained across sessions, but it provides no explicit privacy notice, consent flow, or retention limits. Cross-session memory of financial preferences and watchlists can expose sensitive behavioral data and create privacy and compliance concerns.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill declares very broad runtime loading conditions tied to multiple workflow steps rather than narrowly scoped user intents, which can cause the persona and decision framework to activate for ordinary conversations. In a high-risk finance-advice skill, unintended invocation is dangerous because it can steer users into investment-oriented guidance, collect unnecessary sensitive context, or override safer/default assistant behavior without clear consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases for trade-review include common expressions like '复盘' or '我今天买了一只票', which can match casual discussion and auto-enter a specialized trading-analysis flow. In this context, accidental activation can produce personalized investment judgments or encourage transaction review without the user intentionally requesting regulated or high-risk financial analysis.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The workflow mandates a fixed 'Z哥' speaking style during stock/holding interrogation without user opt-in, which can override user expectations about tone, language, and the source of advice. For financial guidance, forced persona adoption increases the risk of undue persuasion or implied authority, especially when the style is intentionally forceful and prescriptive.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The LLM instructions repeatedly require output '以 Z哥角色' and prescribe a direct, forceful rhetorical style, leaving no room for user choice or safety-based tone adjustment. In a finance-related skill, this can amplify persuasive authority and make advice seem like endorsed expert instruction rather than contextual analysis, increasing behavioral risk to users.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill contains a natural-language workflow for collecting a Tushare token and persisting it into configuration, which operationalizes credential harvesting and storage inside a conversational flow. Even if intended for convenience, this creates a repeatable pattern that weakens secret-handling hygiene and broadens the blast radius of any prompt injection or logging exposure.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs retention of extensive user data within the session and some across sessions, including holdings status, cost basis, risk preference, and trading style. In a finance-oriented context, this information is sensitive and can leak through future responses, logs, artifacts, or unintended recall if not tightly controlled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.