Back to skill

Security audit

test

Security checks across malware telemetry and agentic risk

Overview

This is a coherent VibeTrader integration, but it needs user review because it can affect real brokerage funds through live orders and automated bots without documented safeguards.

Install only if you trust VibeTrader and understand that the API key may enable sensitive portfolio access and live trading actions. Start in paper trading, use the least-privileged key available, set broker-side limits where possible, require explicit confirmation before live orders or bot starts, and revoke the key if behavior is unexpected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README encourages live trading and account-affecting actions such as buying securities, creating bots, and managing portfolios, but it does not warn users that commands may place real orders or impact real funds. In a trading skill, this omission is safety-relevant because users may issue natural-language commands over chat channels and misunderstand whether they are operating in paper or live mode.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill explicitly advertises live trading, manual order placement, position closing, bot deletion, and mode switching, but it does not prominently warn about real-money execution, irreversible financial consequences, or the need for explicit confirmation before destructive actions. In a finance skill, this omission is especially dangerous because ambiguous natural-language requests could trigger high-impact account actions with monetary loss.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The plugin description advertises broad AI-powered trading capabilities without defining scope limits, guardrails, or restricted actions. In a financial trading context, ambiguous activation boundaries can cause an agent to invoke trading functionality for unintended requests, increasing the risk of unauthorized trades, portfolio changes, or unsafe financial actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.