Back to skill

Security audit

Portfolio Watcher Hardened

Security checks across malware telemetry and agentic risk

Overview

This appears to be a finance price/portfolio helper with broad trigger phrases, but the available evidence does not show hidden, destructive, or deceptive behavior.

Install only if you are comfortable with a finance skill activating on broad price-related phrases. Avoid storing sensitive portfolio details unless needed, and confirm before revealing holdings, changing tracked assets, or creating alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "stock price" is very generic and likely to appear in normal user conversation, which can cause unintended skill activation. In a finance skill, accidental invocation is more sensitive because it may expose or act on private portfolio context, surface financial data unexpectedly, or set the stage for unintended portfolio-related actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "crypto price" is also overly broad and can match ordinary requests that are not intended to launch this specific skill. Because the skill handles sensitive holdings and alerts, unintended activation increases privacy risk and the chance of unauthorized or confusing actions in shared or ambiguous contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.