Back to skill

Security audit

fintech-engineer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only fintech skill, but it asks the agent to work across payments, banking, trading, compliance, and crypto without enough authorization or data-handling limits.

Review carefully before installing. Use this only for advisory, planning, code review, or sandboxed development unless a qualified human explicitly authorizes production financial work. Do not provide raw card data, bank credentials, private keys, seed phrases, government IDs, customer financial records, sanctions-screening data, or live payment/trading authority without approved secure handling and compliance review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill says 'When invoked' and immediately prescribes broad actions, but it does not define clear trigger constraints, authorization boundaries, or scope limits for when this high-impact fintech capability should activate. In a financial systems context, ambiguous invocation can cause the agent to engage on sensitive payment, banking, compliance, or trading tasks without sufficient gating, increasing the chance of unintended access, overbroad actions, or unsafe recommendations in regulated workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.