Back to skill

Security audit

Finrl Meta Envs

Security checks across malware telemetry and agentic risk

Overview

This finance skill is not overtly malicious, but its mixed FinRL/ZVT identity and default behavior to save derived skills need review before use.

Install only if you intentionally want a finance automation helper that may set up Python/ZVT tooling, store market data locally, and generate paper-trading or broker-connected code. Use an isolated environment, set ZVT_HOME to a contained directory, use only paper/sandbox broker keys unless you explicitly choose otherwise, and disable or require confirmation for derived-skill saving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The seed file presents itself as a FinRL-Meta multi-market RL skill, but substantial portions of the manifest, preconditions, summaries, and workflow are instead centered on ZVT/A-share tooling. This identity mismatch can misroute execution, trigger the wrong install/runtime behaviors, and cause users or host agents to operate against an unintended code path, which is especially risky in a finance/trading skill where wrong framework assumptions can lead to unsafe execution decisions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest claims a DRL-oriented FinRL capability set, but the documented capabilities also include unrelated ZVT factor and recorder workflows. This broadens the effective behavior surface beyond what the skill advertises, increasing the chance that a host auto-selects or executes functionality the user did not intend.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The post-install and human summary explicitly tell the user the skill is for A-share strategy building with ZVT, directly contradicting the declared FinRL-Meta identity. In an agent setting, user-facing text is operationally important: misleading summaries can steer users into installing packages, using APIs, or trusting outputs from the wrong framework.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The file includes host-side skill crystallization and persistence behavior that goes beyond the stated purpose of providing a financial RL environment. Auto-saving or persisting derived skills increases the blast radius of a misconfigured or misleading skill by turning a one-time mismatch into a reusable installed artifact.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The execute trigger is broad enough to activate on generic intent matching plus common action verbs like run/execute/backtest/fetch/collect, which can cause the skill to launch in situations where the user did not intend actual trading or market actions. In a finance skill that includes paper trading, broker integration, and trading execution, unintended invocation increases the risk of accidental order flow, data collection, or strategy execution with real financial consequences if later connected to live-capable components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises real-time trading execution and Alpaca broker integration without a prominent warning that actions may affect connected accounts, create orders, or trigger market-facing behavior. In a financial automation context, missing safety disclosures make operator error more likely and can cause users to invoke execution-capable workflows without understanding account, compliance, or monetary risk.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The summary uses very broad trigger language such as 'Just tell me what you want; I'll write the code,' which can cause the skill to engage on vague or generic financial requests without clear domain boundaries. In an agent setting, ambiguous invocation can lead to the wrong tool being selected, overbroad code generation, or user actions being interpreted as authorization to produce trading or data-access workflows that exceed intended scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The execute trigger matches broad generic verbs like run/execute alongside common finance terms, making accidental invocation more likely. In a trading-related skill with install and execution behaviors, overly broad triggering can cause unintended workflow execution, package installation, or operational state changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.