波龙股神量化交易系统

Security checks across malware telemetry and agentic risk

Overview

This finance skill is mostly transparent about trading features, but it can place real trades without confirmation and presents some simulated or heuristic analysis as stronger than it is.

Review this carefully before installing. Use paper trading only unless you have audited the broker executors, added explicit confirmations for every live order and close_all action, protected all credentials, and disabled or tightly scoped Telegram notifications. Do not treat the default stock_picker.py output as investment-grade because key scoring inputs are randomly generated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The close_position helper contradicts its safety-oriented purpose by issuing close orders with price=0, which can translate into effectively unbounded market-style execution depending on the downstream API. In a live futures trading context, this can cause severe slippage, unintended fills, or liquidation-like behavior during volatile markets, making it a genuine trading-safety vulnerability.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The advertised stock-picking engine claims to use multi-factor market data, but the core scoring path generates random values for PE, ROE, growth, RSI, volume, and fund flow instead of real fetched inputs. In a financial decision-support context, this is dangerous because it can produce authoritative-looking but arbitrary recommendations, misleading users into acting on fabricated analysis and potentially causing financial loss.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module documentation states that it excludes stocks with near-1-month gains over 25%, but the implementation only checks same-day percentage change. In a financial decision-support skill, this mismatch can mislead users into trusting a risk control that does not actually exist, producing materially different stock picks than advertised.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The docstring claims the strategy needs no historical K-line data while simultaneously describing month-based filtering, which cannot be derived from realtime-only quotes in the current code. This inconsistency undermines the reliability of the tool's stated risk controls and can cause users to make investment decisions based on false assumptions about the model's screening logic.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The docstring states that RPS is a market-relative strength ranking, but the implementation derives it only from the individual stock's own return using a heuristic mapping. In a trading skill, this mismatch can materially mislead downstream users or agents into making decisions based on a falsely represented indicator, creating integrity and financial-risk issues even though it is not a classic code-execution flaw.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest uses very broad finance and investment keywords across stock trading, futures, auto trading, and generic investing terms, which can cause the skill to be invoked for loosely related user requests. In an agent ecosystem, overbroad matching is dangerous because it increases the chance that a high-risk trading skill is selected in contexts where the user did not intend real trading or sensitive financial workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents real-money trading connectors, broker credentials, and Telegram alert integrations but does not include concrete guidance on secure credential storage, least-privilege handling, or what data may be transmitted externally. In context, this is more dangerous because the skill can interact with financial accounts and outbound messaging services, so weak handling could expose account secrets, portfolio data, or enable unauthorized trading-related actions.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The CLI exposes destructive trading operations such as `close_all` in live mode without any explicit confirmation, dry-run preview, or secondary approval. In the context of a brokerage executor, a mistyped command, automation bug, or unauthorized shell access could immediately liquidate positions using real funds, causing substantial financial loss.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The `buy` and `sell` command paths submit orders directly after argument parsing, even when `--mode live` is selected, with no human-in-the-loop confirmation or transaction summary. Because this skill is specifically designed to place securities trades, the lack of a confirmation safeguard materially increases the chance of accidental or scripted real-money orders.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The CLI can trigger order placement and position-closing actions, including live mode, without any explicit confirmation, dry-run preview, or secondary safeguard. In trading software this materially increases the risk of accidental or automated destructive actions, especially when combined with scripts, operator mistakes, or compromised calling contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal