Back to skill

Security audit

Portfolio Risk Desk

Security checks across malware telemetry and agentic risk

Overview

This skill largely matches its portfolio-briefing purpose, but it should be reviewed because live mode can use an Apify token to create, update, or delete remote scraping tasks and can persist or share portfolio context.

Install only if you are comfortable connecting an Apify account and having portfolio/watchlist-derived queries sent to Apify-backed Google/X scrapers. Prefer manual task IDs or review the bootstrap flow before enabling live providers, disable X signals if not needed, avoid LOCAL_STATE_DIR unless you want local persistence, and use inline delivery unless you intend the brief and metadata to be handed off for Notion storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes capabilities that imply access to environment variables, files, network, and shell execution, but it does not declare any permissions or constrain them in metadata. In a host that relies on manifest-level permissions for enforcement or review, this creates a transparency and least-privilege gap that can allow broader access than users or operators expect.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This file's primary behavior is provisioning and mutating remote Apify scraping tasks, including create, update, and delete operations, which is materially broader than simply generating a market-risk brief or emitting a host handoff. In a skill framed as portfolio analysis, this hidden infrastructure-management capability increases supply-chain and data-collection risk because it can establish persistent external scraping behavior under the user's Apify account.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill provisions an X/Twitter scraping task by default via `include_x_signals=True`, expanding collection to social-media content that is not clearly necessary from the stated portfolio-brief purpose alone. That makes the skill more dangerous in context because it silently adds a higher-risk external collection channel with potential compliance, privacy, and reputational implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs use of memory_recall and memory_store to persist portfolio/watchlist data, summaries, dominant factors, and risk-map changes, but it provides no user-facing disclosure, consent step, retention guidance, or sensitivity controls. Portfolio interests and analysis history can be sensitive financial profiling data, so silent persistence increases privacy and data-governance risk, especially across repeated runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly states that the host can automatically bootstrap user Apify tasks from APIFY_API_TOKEN, but it does not mention any consent flow, scope limitation, or user-facing warning about how that credential will be accessed and used. In a finance-oriented skill with memory and persistence features, implicit credential-driven setup increases the risk of unauthorized use of external service access and surprises users about cross-system actions performed on their behalf.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest exposes a broad brief-generation entrypoint without clearly constraining when it should be invoked or what portfolio/risk-analysis contexts are in scope. In an agent environment, underspecified triggering can cause the skill to activate on loosely related prompts and process sensitive portfolio, workspace, or profile context unnecessarily, increasing the chance of data over-collection, unintended external retrieval, or unwanted persistence handoffs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When an existing task name matches but points to a different actor, the code deletes the task and recreates it without warning, confirmation, backup, or ownership validation. This can destroy user configuration or replace an expected task with a different remote scraper, making accidental disruption or abuse more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The orchestrator logs workspace ID, delivery target, holdings, and themes at brief start, which can expose sensitive portfolio composition and user interest data to logs that may be retained, aggregated, or accessed by operators and other systems. In a portfolio-risk analysis skill, this data is inherently sensitive, so emitting it to logs without minimization or explicit consent creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When delivery target is Notion, the code sends the full brief payload, markdown, audit content, workspace ID, profile metadata, and evidence data to the delivery adapter. This is a meaningful data-sharing boundary crossing to an external integration, and in this skill context the content may contain sensitive portfolio and profiling information, making silent transmission risky if not clearly authorized and minimized.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The default memory adapter uses local file-backed storage when a local state directory is configured, which means user briefs and related records may persist on disk outside the immediate request lifecycle. For a skill handling portfolio exposures and profile-linked analysis, undisclosed persistent local storage increases the risk of unintended retention, host compromise exposure, and cross-user data leakage on shared environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code transmits user-derived holdings/watchlist and theme terms to an external Apify service to build live search queries, which can expose sensitive portfolio interests to a third party. In a finance-intelligence skill, watchlists and holdings may be confidential, so sending them off-platform without explicit notice/consent creates a real privacy and data-governance risk even if the transfer is functionally intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.