Security audit

Finance Kg Embedding

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as knowledge-graph model training, but its artifacts also direct quant backtesting, trading workflow, broker/provider, and persistent skill-writing behavior that users should review before installation.

Install only if you intentionally want a combined KG-modeling and ZVT quant/backtesting assistant. Keep it limited to research or paper/backtest workflows, run setup in an isolated Python environment, set ZVT_HOME to a controlled directory, and do not provide broker or paid-provider credentials unless the skill is updated to clearly declare credential scope and require explicit confirmation for any broker-connected action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (17)

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The manifest and title position this as a dynamic knowledge-graph embedding training skill, but the documented pipeline and prompts expand into trading execution, stock selection, and backtesting behavior. This scope mismatch is dangerous because it can cause the agent/router to invoke a skill in financial-trading contexts the user did not intend, enabling unsafe action escalation from modeling to execution.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The documentation claims the skill is for KG embedding training, but later sections describe trading signals, order semantics, next-bar execution, and backtesting inputs. Such contradictory documentation undermines safe routing and review, making it more likely the skill will be selected under false assumptions and used in higher-risk financial workflows.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The human summary materially contradicts the declared skill purpose: the metadata says this skill trains dynamic knowledge graph embedding models, while the summary describes a ZVT quant-trading and backtesting assistant. This mismatch can mislead users and downstream agents into invoking the skill for unintended financial workflows, increasing the risk of unsafe tool use, policy bypass, or execution of capabilities outside the reviewed scope.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file’s locks and preconditions are for stock-trading execution and market-data operations, which do not align with the declared purpose of a dynamic knowledge-graph embedding training skill. This kind of capability mismatch is dangerous because it can conceal unintended or unauthorized trading-related behavior, expand the operational scope of the skill, and mislead reviewers or users about what the skill actually does.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The presence of sell/buy order sequencing, next-bar execution, transaction costs, T+1 restrictions, and trading signal semantics indicates brokerage-style or strategy-execution functionality embedded in a skill advertised as model training. In this context, the mismatch makes the skill more dangerous because finance tooling may operate on real or sensitive market environments, and users could unintentionally enable trading-oriented workflows they did not consent to.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The preconditions require ZVT installation, fetching market data, and write access to local data directories, which is broader than what is justified for a KG embedding skill description. Unnecessary data access and filesystem write requirements increase attack surface, enable unneeded local state changes, and may facilitate covert collection or persistence behavior under the guise of model setup.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The seed file is materially inconsistent with the declared skill purpose: it claims to support temporal knowledge graph embedding, but large portions of the manifest define A-share quant trading, backtesting, ZVT strategy generation, and trading-specific architecture. This kind of capability mismatch is dangerous because users and the host may grant execution authority or data access under false assumptions, enabling unintended financial actions outside the advertised scope.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The user-facing summaries and post-install text repeatedly position the skill as an A-share quant/ZVT trading assistant, directly contradicting the stated finance-kg-embedding purpose. This is dangerous because it can socially engineer users into invoking trading or market-data workflows they did not intend, while obscuring the true execution surface and required safeguards.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The manifest includes explicit trading/backtesting execution entry points and output handling even though the declared skill is a KG embedding trainer. Unjustified execution capability expansion is dangerous because it broadens the action surface from ML training into financial operations, increasing the chance of unauthorized or misleading code generation and execution.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The preconditions require ZVT, K-line data, initialized trading-data directories, and writable local state, none of which are necessary for a temporal KG embedding trainer. This is dangerous because it pressures the environment to install unrelated packages and grant filesystem persistence tied to trading workflows, creating unnecessary attack surface and privilege expansion.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger terms cover very generic concepts like training, knowledge graph, and temporal modeling, which are common across many benign requests. Overbroad triggers increase the chance of accidental activation, causing the agent to load a financially sensitive skill in unrelated contexts and expose users to unintended workflows or instructions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The execute trigger combines broad intent matching with generic action verbs like run, execute, fetch, collect, and Chinese equivalents, making activation ambiguous and permissive. In an agent ecosystem, this can lead to unintended invocation of a skill that includes trading-related behavior, increasing the risk of unsafe or out-of-scope operations.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Broad sample triggers such as generic terms around training, metrics, and evaluation increase the likelihood of accidental invocation, especially when combined with contradictory trading-oriented user messaging. In a mismatched skill like this, over-broad activation is more dangerous because the user may trigger capabilities outside the declared KG purpose without clear consent.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The execute trigger combines broad action verbs with intent matching in a way that makes activation boundaries unclear. This is dangerous because ambiguous routing can auto-execute the wrong workflow, and the risk is amplified here by the manifest's mixed KG-training and trading/backtesting behaviors.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: Hard-coding A-share-first positioning without user opt-in biases the system toward a market/trading context unrelated to the declared KG embedding task. In context, this is dangerous less as a pure market-bias issue and more because it nudges users into an unintended financial workflow under a mislabeled skill.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The tagline defaults to A-share usage and dismisses another market without user opt-in, reinforcing misleading market-specific positioning. Within this skill, that matters because it further obscures the declared KG embedding scope and can steer users toward unsupported or unintended financial operations.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The instruction to consult host conversational memory on behavioral decisions creates a path for the skill to influence retrieval and reuse of prior user-provided content. This is dangerous because memory access expands the data boundary beyond the current request and may expose or reuse sensitive prior context in ways the user did not intend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal