Groww

Security checks across malware telemetry and agentic risk

Overview

This Groww skill is disclosed as a trading helper, but it gives an agent live brokerage trading power without enough confirmation or safety boundaries.

Install only if you intend to let the agent access a live Groww brokerage account. Store the API key as a secret, verify the groww-mcp server separately, and require manual confirmation with symbol, side, quantity, order type, and estimated cost before every buy, sell, or cancellation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents direct buy, sell, and cancel order operations against a live brokerage API without any explicit confirmation flow, warning that actions affect real funds, or recommendation to use a paper-trading/sandbox mode first. In an agent setting, this materially increases the risk of accidental or prompt-induced financial transactions being executed on a user's behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal