Back to skill

Security audit

optionwhales

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent OptionWhales API client for market data and AI trade reports, with privacy considerations around identifiers and optional order data.

Install this only if you intend to use OptionWhales market-data and AI-report services. Use a pseudonymous user ID instead of an email where possible, avoid providing an orders file unless you are comfortable sending that content to the AI report endpoint, and configure only the API tokens needed for the features you plan to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README shows example commands that send a user identifier in the form of an email address to a remote AI reporting service, but it does not warn users that personally identifiable information may be transmitted, stored, logged, or used for quota/history tracking. In a finance-oriented skill that encourages repeated report generation and history lookups, this creates a realistic privacy risk because users may supply real email addresses without understanding the data handling implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The AI report examples send a user identifier such as an email address to an external AI service, but the skill text does not provide a privacy notice, consent flow, or data-sharing limitation. That creates avoidable privacy risk because personally identifiable information may be transmitted off-platform to a third-party service for report generation and history queries.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The command handlers transmit user identifiers, ticker selections, trading dates, and potentially detailed order-flow data to a third-party remote service without any explicit consent prompt, privacy notice, or minimization guard. In an agent context, this can cause unintended disclosure of sensitive financial activity or personally identifiable information to an external system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.