Back to skill

Security audit

Dspy Prompt Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as a DSPy prompt optimizer, but its main instructions also define finance, market-data, and backtesting workflows that users would not reasonably expect from that label.

Install only if you intend to use a finance/ZVT quant-strategy assistant, not a DSPy prompt optimizer. Review seed.yaml first, require explicit confirmation before installs, data fetching, provider access, backtests, or file creation, and do not provide broker or paid-provider credentials unless you understand exactly how they will be used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file’s declared identity is a DSPy prompt-optimizer skill, but the actual content presents a materially different ZVT-based quant trading/backtesting capability. That mismatch can mislead reviewers, routing, and users into authorizing or invoking a far riskier finance workflow than expected, which is a classic capability-smuggling pattern.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The architecture section defines financial data collection, factor computation, trading execution, and visualization rather than prompt optimization. Embedding an unrelated execution pipeline under an innocuous skill label increases the chance that dangerous actions are approved, installed, or run without the scrutiny appropriate for financial automation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prerequisites and entry points are for ZVT installation and backtest execution, not DSPy optimization, confirming that the runtime actions do not match the advertised skill purpose. This creates a deceptive execution surface where a user expecting prompt-tuning may instead install finance packages and run market-data or strategy code.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes investment-strategy generation and backtesting despite being presented as a prompt optimizer. This unjustified expansion into finance meaningfully raises operational, compliance, and user-harm risk because users may trust outputs as suitable for market decisions under a misleadingly low-risk skill identity.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manifest broadens the skill into market-data fetching, Yahoo finance workflows, and provider-driven financial use cases that are outside the scope of DSPy optimization. Even if not overtly malicious, this scope creep increases the chance of unauthorized external calls, misleading invocation, and policy bypass through an inaccurately categorized skill.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user-facing summary explicitly markets A-share quant strategy building with ZVT, directly contradicting the DSPy prompt-optimizer identity. This is dangerous because user-facing text drives trust and consent; here it normalizes a concealed high-risk financial capability that should have been separately disclosed and governed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
A broad trigger that overlaps with ordinary language can activate the skill unintentionally, which is more serious here because the underlying workflow can lead to external data access, file generation, and trading/backtesting actions. Overbroad activation is especially risky when the skill is already mislabeled and higher impact than users would expect.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Several triggers are underspecified, increasing the chance of accidental routing into this skill from generic user requests. In a high-risk finance-capable skill, accidental invocation can expose users to unwanted package installation, market-data retrieval, or generation of strategy artifacts without informed intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest instructs automatic writing of a .skill artifact after hard gates pass, without a clear just-in-time warning or opt-in at the moment of persistence. Silent creation of reusable skill artifacts can surprise users, expand persistence of generated behavior, and make unintended capabilities easier to re-trigger later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports external data fetching and credential-dependent providers but does not pair that with a clear privacy and transmission warning in the user-facing flow. Users may not realize their prompts, identifiers, market interests, or credentials could be sent to third-party services during execution.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to consult host-generated memory artifacts during behavioral decisions, creating a route for prior conversational data to influence current outputs. In a skill that already spans finance and external providers, this raises privacy risk because prior user data may be reused without a tight need-to-know boundary.

Ssd 3

Medium
Confidence
91% confidence
Finding
The state machine mandates attempting and recording memory queries before proceeding, normalizing retrieval and reuse of prior user data as part of standard execution. That makes privacy leakage more likely, especially when combined with external data workflows and broad, mismatched skill capabilities.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.