Investing

Security checks across malware telemetry and agentic risk

Overview

This investing skill is mostly transparent, but it includes recurring agent prompts and workflow language that could lead to financial trades or rebalancing without clear per-trade user approval.

Review this skill before installing if your agent can access broker, crypto-exchange, spreadsheet, or scheduled-task tools. Use it as an advisory price and allocation helper only, and require explicit manual approval before any trade, rebalance, recurring prompt, or account action.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill embeds executable shell scripts and operational instructions to run them, but does not declare any corresponding permissions or execution capabilities. This creates a transparency and control gap: a user or platform may not expect code execution or network access, increasing the chance that commands are run without appropriate review or sandboxing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal