Stock Picker Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis coordinator with budget limits and no broker-execution behavior in its artifacts.

Install this only if you want an orchestrator that can call other finance skills for market data, news, valuation, and portfolio analysis. Review any downstream skills that handle API keys, portfolio records, audit logs, or target-state changes, and treat BUY/ADD/HOLD/TRIM/EXIT labels as analytical recommendations, not executable broker orders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are very broad and match ordinary investing requests without specifying exclusions, consent, or preconditions. In an agent environment, this can cause the orchestrator to activate unexpectedly, invoke multiple downstream skills, and expand data collection or analysis scope beyond what the user clearly requested.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The example trigger phrases are similarly ambiguous and reinforce activation on loosely phrased requests. This increases the risk of overbroad routing, unnecessary downstream skill execution, and budget or governance side effects when the user may only want a simple answer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal