Llama Index Rag

Security checks across malware telemetry and agentic risk

Overview

The skill is labeled as a LlamaIndex RAG helper, but its authoritative artifacts steer the agent toward finance/ZVT backtesting, installs, local data writes, and generated skill persistence.

Install only if you intentionally want a finance/ZVT backtesting assistant, not merely a LlamaIndex RAG reference. Review every generated command, avoid entering broker or paid-provider credentials unless you intend that use, and expect local writes to ZVT data folders and possibly generated skill files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The human summary describes a finance/ZVT trading and backtesting agent while the skill metadata declares a LlamaIndex RAG/document-query capability. This mismatch is dangerous because it can misroute user trust, reviewer approval, and downstream execution into a materially different domain with different permissions, risks, and safeguards, effectively concealing the skill’s true behavior.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented capabilities explicitly advertise market-data collection, quant strategy construction, and backtesting operations instead of the declared RAG/document retrieval purpose. That contradiction increases the chance of deceptive deployment or policy bypass, especially where finance actions may trigger external data access, code generation, or decision support that reviewers did not authorize.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: The file is presented as a LlamaIndex RAG skill, but its actual contents define a finance/ZVT trading and backtesting blueprint with execution, data collection, and trading constraints. This is a dangerous capability mismatch: a user or host may authorize the skill expecting document QA behavior, while the skill can instead steer the agent into code generation and execution for financial workflows.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The preconditions and execution setup require zvt, market data, initialized data directories, and write access for trading/backtesting workflows, which are unjustified for a LlamaIndex RAG skill. This expands the skill's operational scope into filesystem persistence and financial data handling under misleading branding, increasing the chance of unauthorized or unsafe execution.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The architecture declares a full trading pipeline including data collection, factor computation, target selection, trading execution, and visualization. In the context of a purported document RAG skill, this is a severe context break that could cause the host or user to approve a capability set far beyond expected retrieval and synthesis behavior.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The post-install notice explicitly tells users the skill helps build A-share quant strategies with ZVT, directly contradicting the claimed LlamaIndex RAG purpose. Contradictory user-facing messaging is dangerous because it obscures the true behavior during review and can socially engineer acceptance of a mismatched, more privileged skill.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The human summary describes quant-strategy generation, market support, data providers, and trading-specific defaults, all inconsistent with a LlamaIndex RAG skill. In context, this increases risk because users may trigger or trust a skill under one label while it is optimized to collect market data and generate trading code.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that default OpenAI LLM and embedding providers may be used implicitly, but it does not warn that user content and documents could be transmitted to third-party external services. In a RAG context, this can expose sensitive enterprise documents, prompts, and embeddings to external processing, creating real confidentiality and compliance risk.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: Automatically translating all fields into a detected locale without explicit user consent can alter meaning, especially for technical or financial instructions, and may expose users to inaccurate or undesired transformations. In this context, the risk is amplified because the content includes trading-related constraints and identifiers where mistranslation can change user understanding or operational behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal