Back to skill

Security audit

cn-funds-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed China fund and stock helper that stores portfolio and reminder data locally, with no evidence of hidden exfiltration, credential use, trading authority, or destructive behavior beyond its own saved records.

Install only if you are comfortable storing fund codes, shares, cost basis, and reminders in local JSON files, and with queried fund or stock identifiers being sent to public market-data APIs. Redact account numbers or balances before using screenshot import, review/delete the local data files when you no longer need memory, and treat any add/reduce/stop-profit suggestions as informational rather than professional investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description presents a finance data assistant, but the body also adds persistent reminder creation, trigger tracking, and local storage of reminder state. This mismatch matters because users may invoke the skill expecting read-only finance lookups, while it also performs cross-session stateful behavior that can alter user experience and retain data without clear upfront disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to call `check_reminders` at the start of every conversation regardless of user intent. This creates an over-broad autonomous action path that can expose prior reminder content or portfolio-related outputs in unrelated conversations, violating least surprise and potentially leaking sensitive financial context across sessions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs the agent to generate concrete investment recommendations such as adding positions, taking profit, or reevaluating holdings based on simplistic thresholds. This can cause harmful financial advice without suitability checks, disclaimers, or confirmation, especially when triggered automatically through reminders rather than an explicit advice request.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill goes beyond passive fund/stock data retrieval and introduces reminder scheduling plus proactive workflow-driving behavior. That scope expansion matters because it can cause the agent to initiate actions and influence user behavior outside the stated assistant purpose, increasing the chance of unexpected or undesired automated actions.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Reminder capability is not obviously necessary for a market-data assistant and materially changes the trust and risk profile of the skill. Hidden scheduling functionality can surprise users, create unwanted persistence, and enable recurring agent behavior that they did not reasonably expect from the published description.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The check_reminders tool returns inline instructions telling the AI to 'immediately' fetch portfolio profit and give add/reduce position advice. Embedding trading-action guidance inside tool output is dangerous because it can steer the model into providing personalized investment recommendations that exceed the declared scope and may be treated as authoritative by users.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly states that portfolio and reminder data are stored locally in JSON files, but it does not warn users that this may include sensitive personal financial information and behavioral data. In the context of a finance-related skill, silent local persistence increases privacy risk because users may not realize their holdings, cost basis, and reminder preferences remain on disk and could be exposed to other local users, backups, or accidental commits.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is very broad and activates on many common finance-related keywords. Overly broad invocation increases the chance the skill is engaged in contexts where the user did not intend portfolio access, reminder checks, or financial-data actions, which can lead to unnecessary data processing and confusing or privacy-invasive behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that portfolio data is persisted in `data/portfolio.json` across sessions, but it does not prominently warn users before collection/storage occurs. Persistent storage of financial holdings is sensitive, and lack of clear notice and consent raises privacy risk if users do not realize their investment data will be retained.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The screenshot import flow encourages users to upload portfolio screenshots from finance apps, which may contain sensitive holdings, balances, account identifiers, and other personal financial information. Without a prior privacy warning or minimization guidance, users may disclose more sensitive data than necessary for the requested task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The portfolio-saving tool writes user financial holdings data to persistent storage without prior disclosure in this file's interface or behavior description. Persisting sensitive financial preference/position data unexpectedly creates privacy and consent risks, especially if users assume the interaction is ephemeral.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The removal tool deletes persisted holdings immediately based on a fund code, with no confirmation or undo flow. This is risky because accidental or induced tool invocation can irreversibly remove user financial records and degrade integrity of portfolio tracking.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reminder-setting tool likely stores scheduled reminder data persistently, but that persistence is not clearly disclosed to the user at setup time. Unexpected storage of behavior/schedule data can create privacy concerns and contributes to hidden long-lived agent state.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The reminder-removal tool deletes stored reminder data without any confirmation. While lower impact than portfolio deletion, accidental invocation can still cause loss of user-configured automation and undermine reliability of the service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists portfolio and reminder data to local disk in predictable files without any visible consent, retention policy, or disclosure mechanism. Because this data can reveal financial interests, holdings, and behavior patterns, silent persistence creates a privacy and data-handling risk, especially in shared or unmanaged runtime environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.