Financepy Derivatives

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as FinancePy pricing support, but its artifacts also direct agents into ZVT market-data, backtesting, file-writing, and trading workflows that are not clearly bounded.

Review carefully before installing. Use it only if you intend ZVT-style quant/backtesting/trading assistance, run setup in an isolated environment, pin and review dependencies, disable or approve file-saving behavior, and require explicit confirmation before any market-data collection, broker connection, or trade-related execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (18)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill claims to provide FinancePy date-handling and derivatives pricing, but the documented pipeline expands into full trading workflow stages including data collection, target selection, trading execution, and visualization. This scope mismatch can cause an orchestrator or user to invoke the skill for actions far beyond its declared purpose, increasing the risk of unintended market-data access or trade-related behavior.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The file presents itself as a derivatives pricing skill, but later instructs users on A-share/HK/crypto market selection, stock data providers, factor strategies, backtesting windows, entity IDs, and trading constraints. This contradiction is dangerous because it disguises a broader trading-oriented capability behind a narrower financial-pricing label, undermining trust boundaries and review accuracy.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The human summary materially conflicts with the declared skill purpose: instead of FinancePy date handling and derivatives/bond/swap pricing, it advertises a ZVT-based market data, factor strategy, and backtesting workflow. This kind of capability mismatch is dangerous because it can mislead users and orchestration systems into invoking a skill with broader or different behavior than expected, increasing the risk of unauthorized data access, unintended code generation, or policy bypass.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The summary claims end-to-end trading pipeline capabilities, data-provider integrations, factor screening, and backtesting that are not justified by the narrow FinancePy derivatives/date-processing description. Overstated capabilities are a security concern because they expand the apparent trust boundary and may cause users or agents to request actions involving external data sources, trading logic, or code execution paths that were not intended or reviewed.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The lock file is materially misaligned with the declared skill purpose: it defines stock-trading and backtesting constraints, not FinancePy date-processing or derivatives pricing behavior. This can cause the agent to import unrelated trading assumptions, execute inappropriate workflows, or request/install irrelevant infrastructure, which is especially dangerous in finance because it can produce incorrect outputs or operationally unsafe actions under a false capability boundary.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documented preconditions require ZVT market-data infrastructure that is not justified by a FinancePy derivatives-pricing skill. Unrelated dependency installation and initialization increases attack surface, may trigger unnecessary code execution or network/data access, and can mislead operators into trusting an environment setup that has nothing to do with the advertised pricing functionality.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file’s declared identity and purpose describe a FinancePy derivatives/date-processing skill, but the embedded behavior defines a ZVT trading/backtesting workflow with package installs, data collection, code generation, execution, and output writing. This capability mismatch is dangerous because users or hosts may grant trust, permissions, or invoke the skill under false assumptions, enabling materially different actions than the advertised scope.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The embedded 88-capability catalog markets A-share quantitative strategy construction with ZVT, directly contradicting the stated FinancePy derivatives/date/pricing purpose. This increases risk because downstream systems and users may authorize a supposedly analytical finance utility while actually enabling a much broader trading automation surface.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The human-facing summary explicitly says the skill helps build A-share quant strategies with ZVT, which conflicts with the declared FinancePy analytics purpose. User-facing misrepresentation is especially dangerous because it shapes consent and operator expectations at the moment of use, potentially normalizing code generation, market-data access, and trading-oriented actions that were not expected from the metadata.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Trading execution and backtesting are materially more powerful than the stated purpose of FinancePy date handling and pricing. Embedding execution-oriented logic inside a skill presented as an analytics helper broadens the attack surface and can lead to unauthorized code generation, strategy execution, or risky operational decisions under misleading scope assumptions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill includes external market-data collection and SQLite persistence even though the declared purpose is FinancePy analytics. That discrepancy matters because network/data-ingest and local persistence expand privacy, integrity, and operational risks beyond a pure local pricing/date utility, especially if hosts auto-install and auto-run based on metadata trust.

Vague Triggers

High

Confidence: 93% confidence
Finding: The execute trigger fires when user intent matches positive terms and the user uses a generic action verb such as run, execute, 跑, 执行, backtest, fetch, or collect. Such broad matching can lead to accidental or overly permissive activation, especially in financial contexts where unintended invocation could trigger sensitive analysis or downstream trading-related steps.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Trigger phrases like calendar, holiday, business days, date creation, add days, and add months are common natural-language terms that may appear in benign conversation unrelated to this skill. Overlapping generic triggers increase the chance of accidental routing into a finance-oriented skill, causing context confusion and possibly exposing broader hidden behavior described elsewhere in the file.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad trigger terms that overlap with ordinary language can cause accidental invocation of the skill. In this file, that is more dangerous than usual because the skill’s effective behavior includes installation, code-writing, data collection, and execution-oriented workflows, so unintended activation has real side effects.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Several generic trigger phrases are likely to collide with normal conversation and route users into this skill unexpectedly. Because this manifest also contains execution and file-writing behavior, accidental routing is not just a UX issue; it can lead to unintended installs, script generation, or persistence actions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest uses many highly generic one-word or short triggers across a large intent surface, making collisions and false activations likely. Given the hidden mismatch between advertised FinancePy behavior and actual ZVT-style trading/execution behavior, this broad routing surface amplifies the chance that users invoke a materially different skill than intended.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest describes automatically writing .skill files after execution without a prominent, consolidated warning that the filesystem will be modified. Silent or weakly disclosed persistence is risky because it creates durable artifacts and changes host state, which is especially concerning in a skill already suffering from identity/scope mismatch.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The human summary advertises automatic data fetching and code-writing behavior without a single clear warning summarizing network, filesystem, and execution impact. Users may reasonably interpret the skill as a finance helper rather than a side-effecting automation tool, so the lack of consolidated disclosure undermines informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal