Trading Quant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market-data and stock-analysis skill, with transparency caveats around local caching, broad triggers, and sentiment scoring quality.

Reasonable to install if you want a market-data helper, but treat outputs as informational rather than investment advice. Be aware it contacts third-party finance/news services, may use local watchlist symbols when no ticker is provided, stores market caches/snapshots locally, and some sentiment scores may be keyword-based rather than FinBERT-based.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module-level documentation advertises FinBERT-based sentiment analysis, but `_get_finbert_analyzer()` is hardcoded to return `None`, ensuring the model path is never used. This is a real integrity issue because downstream users may rely on the claimed analysis quality for trading decisions while actually receiving a much weaker keyword-based heuristic.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill exposes generic text sentiment tools and model-management operations that go beyond the declared market-data/query scope. Scope expansion matters because it enables processing arbitrary user text and potentially loading heavyweight local models or invoking adjacent functionality that users and orchestrators may not expect, increasing attack surface and privacy risk.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The save_daily path performs local state-changing persistence despite the skill being described as read/query-oriented. Undisclosed writes create integrity and privacy concerns because invoking the skill can leave durable artifacts or modify local state in ways the caller does not expect.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The file contains hidden persistent IPC behavior using predictable paths under /tmp and a local Unix socket, which is unrelated to the stated trading-analysis interface. This is dangerous because local IPC can be abused by other local processes, can route user-supplied text to an unintended backend, and the predictable /tmp filenames increase tampering and spoofing risk in multi-user environments.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The 'Use when' guidance is broad enough to match many generic stock-related requests, without exclusions for investment advice, unsupported markets, stale/off-market data, or when maintenance commands should never be auto-invoked. In an agent setting, vague triggers increase unintended activation and can route ordinary finance questions into a tool with network and file capabilities, expanding attack surface and user surprise.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: User-provided texts are serialized and sent over a local Unix socket to a persistent service without disclosure or trust verification. Even though the channel is local, that still creates a data-exposure path and allows a spoofed or compromised local service to receive sensitive inputs and return manipulated outputs.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The skill makes many outbound requests to market and news providers, which is expected for a trading-analysis tool, but the absence of user-facing disclosure still creates a transparency/privacy issue. The context makes this less severe than in a non-networked skill because remote data access is core to the feature set, yet users may still unknowingly cause external requests containing symbols, watchlists, or derived interests.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The code writes market/watchlist snapshot data to local storage without warning the user that persistence occurs. While the stored content appears limited, silent retention can still expose trading interests, usage patterns, or local state to later access by other components or users.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase at line 9 is broad enough to match common user requests about stock information, which can cause the skill to activate when the user did not explicitly intend to invoke it. In a finance context, unintended activation can lead to incorrect tool routing, unnecessary data access, or over-reliance on this skill's outputs for financial decisions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase "量化分析" is highly generic and may appear in ordinary finance discussions that are not requests to invoke this specific skill. This increases the chance of accidental activation and misrouting in multi-skill environments, especially because the skill handles broad market-analysis functionality.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The English trigger "stock analysis" is extremely broad and lacks any activation boundary, making it likely to overlap with normal conversation or other finance tools. In an agent ecosystem, this can cause unintended invocation, prompt-routing conflicts, and delivery of potentially unsuitable financial analysis to the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal