Security audit

Credit Transition Matrix

Security checks across malware telemetry and agentic risk

Overview

This skill is packaged as a credit-risk matrix helper, but its artifacts also steer agents toward quant trading, market data collection, backtesting, and broker/provider workflows.

Install only if you knowingly want a mixed credit-risk and ZVT quant/backtesting assistant. Before allowing execution, confirm any package installs, market-data downloads, local ZVT writes, paid-provider use, broker-related steps, generated scripts, or trading/order-related logic.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (18)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill is advertised as a credit transition matrix utility, but the pipeline and interaction text expand it into market data collection, factor computation, backtesting, and trading execution. This scope mismatch can cause the agent to invoke the skill for trading-related tasks the user did not intend, creating capability confusion and potentially unsafe financial actions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: A credit migration matrix processor should not solicit strategy type, target markets, stock identifiers, or prescribe trading execution behavior. Embedding trading functionality in a utility with a benign analytical name can misroute user requests and enable unauthorized or unexpected financial decision support or execution paths.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The file presents contradictory intent: the title and description describe credit-risk matrix processing, while later sections define trading-system rules and execution behavior. This contradiction increases the chance of unsafe invocation, reviewer misunderstanding, and downstream policy bypass through misleading packaging.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The human-facing summary describes a broad ZVT quant trading and backtesting assistant, while the declared skill is for credit transition matrix processing. This mismatch can mislead users or an orchestrating agent into invoking the skill for capabilities outside its intended scope, creating tool confusion, unintended activation, and possible access to unrelated workflows or data handling paths.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented capabilities include market data acquisition, factor screening, and trading/backtesting workflows that are unrelated to credit migration matrix operations. In an agent ecosystem, these misleading claims can cause improper routing and over-privileged use, especially if downstream systems trust the summary to determine what actions the skill may perform.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file introduces trading-system semantic locks and zvt environment preconditions that are unrelated to the declared purpose of a credit-transition-matrix skill. Mismatched operational constraints can mislead an agent into performing or preparing for unintended financial/trading workflows, expanding the skill's effective scope and creating a prompt-/spec-injection style risk.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The semantic locks mandate concrete trading behavior such as sell-before-buy execution, next-bar execution, T+1 handling, and transaction semantics even though the skill is described as processing credit rating transition matrices. In this context, these instructions are dangerous because they can steer downstream agents or operators toward unauthorized trading logic, causing scope confusion and potentially unsafe financial actions.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: The seed file materially mismatches the declared skill purpose: instead of a narrow credit transition-matrix tool, it embeds a ZVT quant trading/backtest workflow with trading execution, market-data handling, and strategy scaffolding. This is dangerous because it can cause the host to invoke code paths and permissions far beyond user expectations, enabling unintended trading-related behavior under a misleading finance/credit-risk label.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: User-facing documentation advertises A-share quant-strategy construction even though the manifest describes credit transition-matrix processing. This creates deceptive capability signaling: users and orchestrators may authorize execution under a low-risk analytical label while the skill promotes much broader market/trading functionality.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The human summary explicitly says the skill helps build stock-market strategies and backtests, contradicting the declared transition-matrix purpose. In context, this increases risk because the summary is the first thing users and hosts may rely on, making scope confusion likely and normalizing unrelated execution behavior.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The file includes live market-data collection, trading/backtest execution flow, provider integration, and strategy scaffolding that are unjustified for a credit transition-matrix processor. This broadens the attack surface substantially by introducing code-generation and execution pathways, filesystem writes, data collection, and trading semantics under an unrelated skill identity.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The execute trigger matches broad positive terms plus generic action verbs like run, execute, fetch, and collect. Such loose matching can cause accidental invocation on unrelated requests, especially because the skill already contains mismatched trading capabilities under a benign credit-risk label.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Triggers such as 'data cleaning', 'preprocessing', and generic credit-rating terms are too broad to safely identify a specialized transition-matrix skill. Overbroad triggers increase unintended activation and can expose users to irrelevant or riskier behaviors defined elsewhere in the same file.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Phrases like 'Just tell me what you want; I'll write the code' are overly broad and imply open-ended assistance beyond the skill's declared purpose. This increases the chance of accidental or policy-bypassing invocation because users or planners may interpret the skill as a general quant assistant rather than a narrowly scoped matrix-processing tool.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: An overly broad trigger term can cause accidental invocation on unrelated user prompts. In this file, that risk is amplified because accidental activation would route the user into an unexpectedly broad trading/backtest workflow rather than a narrow matrix-analysis tool.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Generic intent-router trigger terms are likely to collide with everyday analytical requests, producing ambiguous or incorrect UC selection. Because this skill already contains scope-confused trading capabilities, ambiguous activation increases the chance of misrouting users into higher-risk actions or data requirements.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: A single-word generic trigger is too vague to safely identify user intent. In a skill with mixed credit-risk and trading language, such a vague trigger creates a real risk of unintended activation and execution of unrelated workflows.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Generic trigger words create an activation surface that is broader than the declared analytical function of the skill. That is especially dangerous here because ambiguous routing combines with misleading metadata and expanded execution features, increasing the chance of unauthorized or surprising behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.