Back to skill

Security audit

Prediction Trade Journal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed trade journal that fetches Simmer trade history with a user API key and saves it locally for reports.

Install only if you are comfortable giving the skill access to your Simmer trade history. Store SIMMER_API_KEY as a secret, keep the data directory private, review CSV exports before sharing them, and do not override SIMMER_API_URL unless you trust the endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells users to obtain and store a live API key but does not warn that this credential is sensitive or advise safe handling. That omission increases the chance the key is pasted into chat, committed to source control, logged in shell history, or stored insecurely, which could enable unauthorized access to the user's trading data or account functions exposed by the API.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill says it syncs trades from a remote API and stores them locally in data/trades.json, but it does not prominently warn users that their trading history and associated context will be copied onto disk. This matters because trade history can reveal financial behavior, strategy, and linked metadata such as thesis or source, making local compromise or accidental sharing more damaging.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.