Back to skill

Security audit

QuantAll

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local stock-analysis/database skill, but it can start a local service and write config or launcher files, so users should expect local system changes.

Install only if you want a local quantitative finance engine that can run a localhost service, manage DuckDB stock databases, call market-data providers, and store a Tushare API key in a local plaintext file. Use a dedicated virtual environment, review the quantall package source/version before installing, keep database and API-key paths under your control, and only allow launcher or shortcut creation when you explicitly want persistent local launch artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # 启动子进程(忽略 I/O)
        if sys.platform == "win32":
            process = subprocess.Popen(
                [python_exe, str(target_script)],
                cwd=str(current_dir),
                creationflags=subprocess.CREATE_NEW_PROCESS_GROUP,
Confidence
94% confidence
Finding
process = subprocess.Popen( [python_exe, str(target_script)], cwd=str(current_dir), creationflags=subprocess.CREATE_NEW_PROCESS_GROUP,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
stdin=subprocess.DEVNULL
            )
        else:
            process = subprocess.Popen(
                [python_exe, str(target_script)],
                cwd=str(current_dir),
                stdout=subprocess.DEVNULL,
Confidence
94% confidence
Finding
process = subprocess.Popen( [python_exe, str(target_script)], cwd=str(current_dir), stdout=subprocess.DEVNULL, stderr=subpro

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill describes capabilities to read and write local files and run shell/Python commands, but no explicit permission boundary is declared. In an agent setting, undeclared powerful capabilities weaken user awareness and policy enforcement, increasing the risk of unexpected filesystem changes or command execution during routine use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented primarily as a quantitative analysis engine, but the documented behavior also includes package installation, service launching, database creation, external data fetching, and config/API file management. This mismatch can cause users or orchestrators to invoke the skill in contexts where they do not expect system modification, network-dependent data ingestion, or handling of sensitive credentials.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill exposes capabilities beyond straightforward database management, including arbitrary local market-data querying and launching a separate MCP service. Capability expansion is risky because users and orchestrators may grant trust based on the declared purpose of an update skill, while the implementation can perform broader actions than expected.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill writes a launcher script to disk and then executes it as a local Python subprocess. Writing executable code and immediately launching it is a powerful host-side capability that increases the attack surface, enables persistence-like behavior, and is not well-justified for a stock-data update tool.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger conditions explicitly allow activation not only on explicit quant-analysis requests but also on general stock-related discussion whenever the AI judges QuantAll might help. Overly broad auto-triggering can escalate ordinary conversation into code-writing, local execution, database access, or file modification flows without a sufficiently specific user request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the AI to proactively offer creating run.bat and desktop shortcuts, which are persistent filesystem modifications and can affect how software is launched on the host. Without a prominent warning and explicit informed consent model, users may not appreciate the security implications of creating executable launchers or desktop artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These tools automatically create configuration files and an API placeholder file on disk without explicit user confirmation. Silent filesystem writes are risky in agent settings because they can modify local state unexpectedly, leak operational intent, and normalize broader write access than the user may have authorized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill creates `Start_QuantAll.py` if missing and immediately launches it, without an upfront warning or confirmation. Combining silent file creation with process execution is especially dangerous in a local-agent context because it can introduce new executable artifacts and start services the user did not knowingly approve.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list for `new_layer_from_code` includes very broad terms like '分析', '标记', and '生成图层', which can overlap with normal user conversation and cause unintended tool selection. In this skill, accidental invocation matters because the tool creates or replaces the active analysis layer and can steer the agent into executing code-backed market analysis the user did not explicitly request.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The `select_by_code` trigger phrases—such as '找出', '查询', '筛选', '标记', '选择'—are generic enough to match ordinary dialogue rather than a deliberate request to filter the active QuantAll layer. Because this tool mutates the current selection state and recomputes downstream statistics, unintended activation can distort analysis results and produce misleading financial conclusions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The `move_by_code` activation phrases include broad terms such as '移动', '分组', and '分布', which are common in non-tool conversational contexts. In this skill, an accidental move operation changes X/Y mappings for the current analytical layer, potentially altering visual interpretation and heat-map outputs without the user intending to re-parameterize the analysis.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The `heat_map` tool advertises highly generic triggers like '统计', '热力统计', and especially '分析', making it difficult to distinguish ordinary discussion from a request to query the current layer's matrix data. In a financial-analysis skill, this can cause the agent to enter an unintended computation path and present quantitative outputs as if they were user-requested, increasing the risk of misleading investment analysis.

Unpinned Dependencies

Low
Category
Supply Chain
Content
quantall>=1.0.0
Confidence
95% confidence
Finding
quantall>=1.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.