Quant Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This quant-trading skill mostly does what it advertises, but it also ships under-explained billing code that can contact a payment service and attempt charges.

Review before installing. Ask the publisher to remove or fully document the SkillPay billing code, move the API key out of source, state exact pricing and minimum deposit terms, and require explicit confirmation before any charge or payment-link creation. Treat generated trading signals and backtests as research only, not financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements a full billing/payment workflow, including charging users and generating payment links, despite the skill being described as a quant prediction/backtesting system. The mismatch in purpose is dangerous because it introduces monetization and payment-handling behavior unrelated to the stated functionality, increasing the likelihood of unauthorized charges or deceptive monetization embedded in an otherwise unrelated skill.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The skill contains payment-processing capabilities that are not justified by its advertised quant-orchestration purpose, including direct charge and payment-link generation endpoints. In this context, hidden payment logic is especially suspicious because users invoking trading or backtesting functionality would not reasonably expect their identifiers to be sent to a billing service or a charge attempt to occur.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The docstring says the function checks balance and charges if sufficient, but the implementation immediately calls charge_user() and relies on the remote service to reject insufficient funds. This discrepancy is dangerous because it can mislead reviewers and integrators into believing a safer pre-check exists when the code actually initiates a charge attempt first.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The charge_user function sends a user identifier to an external billing service and attempts to charge immediately, with no user-facing notice, confirmation, or consent flow in the code. This is dangerous because it enables silent financial actions and external data transmission, which is particularly inappropriate for a quant-analysis skill where charging behavior is not expected from the stated purpose.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill writes a file to disk as a side effect without explicit notice, consent, or output-path controls. In an agent environment, undisclosed filesystem writes can overwrite user files, create persistence artifacts, or leak sensitive generated content into shared workspaces.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The report explicitly recommends proceeding to simulated trading based on positive backtest metrics without any balancing disclosure about model risk, overfitting, market regime changes, or the possibility of loss. In a quant-trading skill, this can unduly increase user trust in AI-generated strategy output and encourage financial decision-making from incomplete risk information.

External Transmission

Medium

Category: Data Exfiltration
Content: def charge_user(user_id: str) -> dict: """Charge user for skill usage""" try: response = requests.post( f"{BILLING_URL}/charge", json={ "user_id": user_id,
Confidence: 94% confidence
Finding: requests.post( f"{BILLING_URL}/charge", json=

External Transmission

Medium

Category: Data Exfiltration
Content: def get_payment_link(user_id: str, amount: float = 10) -> str: """Get payment link for user""" try: response = requests.post( f"{BILLING_URL}/payment-link", json={ "user_id": user_id,
Confidence: 83% confidence
Finding: requests.post( f"{BILLING_URL}/payment-link", json=

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal