Back to skill

Security audit

ipo-tracker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent IPO watchlist/reporting skill with routine command, dependency, file-output, and market-data retrieval behavior for its stated purpose.

Install if you want an agent to generate IPO reports or TradingView watchlists, but ask it explicitly before running scripts, installing dependencies, fetching live market data, or writing export files. Treat any resulting market information as research, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The auto-trigger list is broad enough that the skill may activate on loosely related requests such as general IPO discussion, stock listings, or watchlist creation without the user explicitly asking to run this skill. Because the skill can invoke Bash and install dependencies, unintended activation increases the chance of unnecessary command execution and external data retrieval in contexts where the user only wanted information, not tool use.

Vague Triggers

Low
Confidence
82% confidence
Finding
The activation guidance lists positive triggers but provides no scope boundaries, exclusions, or examples of when the skill should not run. That ambiguity can cause over-activation, especially for routine financial conversations about IPOs, leading the agent to execute scripts and write files when a simple textual answer would have been safer and sufficient.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.