Trade Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local trade-record analyzer that reads user-provided data and generates reports, with no evidence of hidden access, persistence, or exfiltration.

Install only if you are comfortable providing trade-history data for local analysis. Prefer CSV/text inputs, redact unnecessary account or personal identifiers, review any separate Excel-processing helper before using .xlsx files, and verify the parsed columns/results before relying on the report.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Intent-Code Divergence

Low

Confidence: 78% confidence
Finding: The fallback in _find_column returns the first header when no candidate matches, causing unrelated columns to be silently treated as date, stock, return, or strategy fields. In a data-analysis skill, this can materially corrupt computed metrics and generated reports, enabling crafted input to mislead users' trading conclusions without obvious parsing failure.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to match ordinary conversation about trading, which can cause the skill to activate unexpectedly and ingest sensitive financial records or provide analysis when the user did not clearly intend to invoke it. In a finance context, unintended activation is more risky because uploaded trading data may contain personal financial information and strategy details.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill invites users to upload trading records but does not warn that those files may contain sensitive financial data, account identifiers, or proprietary strategy information. This increases the chance of oversharing and weakens informed consent around handling personal or confidential trading data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal