Back to skill

Security audit

Gs Quant Pricing

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it presents a narrow pricing-indicator purpose while instructing agents toward broader finance workflows including data fetching, backtesting, trading-order logic, local setup, and some write-capable analytics references.

Install only if you intend to use a broad finance/backtesting assistant, not just a pricing-indicator calculator. Keep it away from live brokerage, paid provider, portfolio, entitlement, or risk-model upload access unless you explicitly authorize each action and review generated commands first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (18)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata and description frame this as a quantitative indicator calculator, but the body expands scope into data collection, storage, target selection, backtesting, and trading execution. This scope drift is dangerous because orchestration systems may grant or invoke the skill under lower-risk assumptions while the documentation encourages materially higher-risk financial actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting trading execution in a skill presented as an indicator calculator creates a dangerous capability mismatch. In a financial context, this can cause an agent or user to treat analytical output as authority to place orders, increasing the risk of unauthorized or unsafe market actions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill advertises external market-data provider selection despite being described as local quantitative metric computation. This broadens operational scope to network/data-access behavior that may not be expected, introducing hidden dependencies, privacy/compliance concerns, and possible misuse of credentials or paid provider access.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The top-level title and description market the skill as a pricing/indicator utility, while the internal workflow and prompts steer toward strategy design, backtesting, and live trading decisions. This inconsistency can mislead operators, automated policy engines, and users about the risk profile, making accidental invocation in sensitive financial contexts more likely.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The human summary materially overstates the skill’s capabilities, claiming end-to-end ZVT strategy construction, data fetching, and backtesting even though the declared skill scope is limited to quantitative indicator calculations such as annualized volatility, EMA, and exponentially weighted standard deviation. This creates a scope-mismatch vulnerability: an agent or user may rely on undocumented trading workflow behavior, invoke unsupported external tooling or market-data paths, and bypass intended safety or capability boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented behavior expands from narrow financial-indicator calculation into full trading-strategy development, market-data ingestion, factor engineering, index composition collection, and execution-oriented workflows. In skill ecosystems, this kind of documentation drift is dangerous because orchestration layers and users often trust the human summary to decide what the skill is allowed to do, leading to over-privileged use, unsafe assumptions, and unintended access to external systems or sensitive financial workflows.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file defines semantic locks and preconditions for a full trading/backtesting workflow, including order execution rules, trading-signal semantics, transaction-cost defaults, and recorder requirements, which materially exceeds the declared scope of simple quantitative indicator computation. This creates a scope mismatch that can mislead an agent into performing or validating trading operations and local environment actions that users did not authorize.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented rules cover execution ordering, next-bar execution, T+1 constraints, and signal/order schema requirements, indicating the skill may steer or validate trading behavior rather than merely compute indicators. In the context of a skill advertised as analytics-only, this hidden operational scope is dangerous because it can cause unauthorized financial decision support or downstream automated trading behavior.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The preconditions instruct access to local ZVT directories, write tests, package installation, initialization, and recorder execution, none of which are necessary for a narrowly scoped indicator-calculation skill. Even though these are framed as setup checks, they expand the skill into local system interaction and data acquisition, increasing the chance of unexpected filesystem changes or network/data-fetch behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The referenced component list exposes reporting, portfolio manager, and factor risk functionality that is materially broader than the skill’s declared purpose of computing pricing-related indicators such as annualized volatility and EMA. This scope mismatch is dangerous because it can grant callers access to unintended financial reporting or portfolio analytics capabilities, undermining least privilege and enabling data exposure or misuse outside the advertised use case.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill appears to expose portfolio, factor risk, and performance reporting operations that are not justified by a pricing-indicator skill description. In context, this increases danger because financial analytics/reporting functions may touch more sensitive portfolio and performance data than simple time-series indicator calculations, creating unnecessary attack surface and potential unauthorized access to internal analytics workflows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The seed file’s actual capability surface is far broader than the advertised skill purpose. A user expecting a narrow quant-indicator calculator could unknowingly invoke data ingestion, backtesting, reporting, portfolio/entity access, or risk-model workflows, violating least-privilege expectations and materially increasing the chance of unintended data access or high-impact actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Risk model upload capabilities are write-path operations with materially higher impact than read-only indicator calculation. Including upload functionality in a skill presented as a calculator creates unnecessary authority, and if exposed or misrouted could alter model data, contaminate analytics, or affect downstream consumers relying on those models.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Report scheduling and portfolio/performance reporting are out of scope for a simple indicator calculator and expand the accessible data and action surface. This increases the risk of unintended portfolio analytics exposure, accidental report execution, or user confusion about what operations the skill may perform on their behalf.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Entity management and entitlement access introduce sensitive discovery and access-control-adjacent functionality that is not justified by the stated indicator-computation purpose. Even if the underlying platform enforces entitlements, bundling these features broadens the reconnaissance surface and can expose metadata or access patterns users did not expect.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user-facing messaging materially misrepresents the skill as an A-share ZVT strategy/backtesting tool, while the metadata describes a gs-quant indicator calculator. This kind of capability confusion is dangerous because users and host systems may grant trust, permissions, or invocation context based on inaccurate descriptions, enabling unintended execution paths and masking risky behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition is broad and based on generic intent matching plus common action verbs like run, execute, backtest, and fetch. In an agent environment, this increases the chance of accidental activation for unrelated finance queries, which is especially risky here because the skill text also references trading and execution behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger matches broad intent terms plus generic action verbs like run/execute/fetch/collect, making accidental or ambiguous activation more likely. In a skill with expanded capabilities, broad triggering can cause the host to enter sensitive workflows without a narrowly scoped user request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.