Easytrader Cn Broker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support real broker automation, but its instructions mix live trading with broader quant research/backtesting workflows in a way users should review carefully before installing.

Install only if you intentionally want a broker-connected finance skill. Use an isolated Python environment, avoid real broker credentials until you have confirmed dry-run behavior, require explicit confirmation for every live order or cancellation, and review any generated server, heartbeat, or .skill-file changes before letting them run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is presented as broker automation, but the documented pipeline and prompts broaden it into data collection, factor research, target selection, and backtesting workflows. This scope expansion can cause the agent to invoke capabilities beyond what a user reasonably expects, increasing the chance of unintended execution paths that culminate in real trading actions.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The human summary materially misrepresents the skill as a broad quant research and backtesting assistant rather than a broker-client trading automation skill. This kind of scope drift can cause an agent or user to invoke the skill for unsupported workflows, increasing the chance of unsafe trading actions, bad assumptions about market/support coverage, and misuse of broker-connected capabilities.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documented capabilities expand beyond the declared A-share broker automation purpose into unsupported market coverage (HK, crypto, US caveats) and research/data workflows. In a trading context, misleading capability claims are risky because they can prompt an agent to generate or execute actions based on nonexistent or unvalidated functionality, potentially leading to erroneous orders, data misuse, or unsafe operational decisions.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The seed manifest for a broker automation skill is substantially replaced with a ZVT backtesting/research crystal, including different preconditions, execution paths, and user-facing purpose. In a trading context, this is dangerous because the host may route users into unintended code paths, install irrelevant packages, or generate/execute quant workflows under the authority of a broker-automation skill, creating capability confusion and increasing the chance of unsafe operations.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The human-facing summary explicitly claims the skill helps users build A-share quant strategies with ZVT, which contradicts the broker automation description. This kind of deceptive capability surface is especially risky for finance tools because users may authorize actions or trust outputs under false assumptions about what software is actually being used.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file grants broad backtesting, factor-research, and strategy-generation capabilities that are not justified by the stated broker automation purpose. Expanding effective authority in a financial skill is dangerous because it widens what an agent may execute or claim, enabling unauthorized workflow generation and potentially unsafe trading or research actions outside the reviewed scope.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: Execution routing and scaffold entry points are centered on backtest/collector flows instead of the manifest's broker trading operations. In practice this can cause the host to trigger code generation or execution for the wrong task class, leading to unsafe automation and mis-scoped access in a trading environment.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Broad trigger terms such as server/api/http can cause the skill to activate in contexts that are only loosely related to broker trading. In a skill with account access and order-management semantics, accidental invocation is dangerous because it may expose trading functions or prepare live actions without sufficiently specific user intent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The execute trigger fires when intent matches positive terms and the user includes generic action verbs like run, execute, 跑, 执行, backtest, fetch, or collect. This is ambiguous and overly permissive, especially in a finance skill where ordinary research requests could be misrouted into execution-capable workflows that touch broker state or trading operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description advertises automated broker login and trading operations but does not prominently warn that it can perform live, account-impacting actions. In the context of A-share broker automation, missing safety disclosure materially increases the risk of users invoking live trades, cancellations, or account changes without understanding the consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal