Vnpy Futures Trading

Security checks across malware telemetry and agentic risk

Overview

This finance skill is not plainly malicious, but its trading scope is confused and it includes live/RPC trading behaviors without clear enough user-facing safeguards.

Review before installing. Use only in a sandbox or paper-trading environment until the publisher aligns the skill identity, separates ZVT research from VnPy futures execution, documents broker credentials and RPC exposure, requires explicit live-order confirmation and risk limits, and makes skill-file persistence clearly opt-in.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The human summary materially misrepresents the skill’s purpose: it advertises a ZVT-based A-share/HK/crypto research and backtesting assistant, while the metadata describes a vnpy futures auto-trading skill for Chinese futures execution and session management. This scope mismatch can cause users or orchestration systems to invoke the skill for the wrong domain, leading to unsafe trading actions, misuse of broker/data integrations, or erroneous trust in capabilities the skill does not actually provide.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The seed declares a VeighNa/vnpy futures-trading skill, but the actual preconditions, semantic locks, user guidance, and execution flow are centered on ZVT A-share workflows. This kind of skill-identity drift is dangerous because users and host agents may invoke the wrong code paths, apply the wrong market rules, or trust incompatible constraints, leading to mis-execution in a finance/trading context.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The post-install and human-facing descriptions explicitly tell users the skill builds A-share strategies with ZVT, directly contradicting the advertised vnpy futures-trading identity. In a trading skill, misleading operator-facing text is security-relevant because it can cause misuse of the skill, incorrect trust decisions, and execution under the wrong assumptions about broker, asset class, and safeguards.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The use-case catalog extends well beyond the stated futures auto-trading scope into A-share factor research, RPC infra, GUI trading, and generic test utilities. Excess capability surface increases the chance that the host routes user requests into unrelated or weakly governed behaviors, which is especially risky when financial execution and data workflows coexist in one skill.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The seed exposes generic RPC client/server test and distributed communication capabilities that are not clearly bounded by the declared business purpose. Networked RPC features broaden the attack surface because they can enable unintended remote control paths, unsafe exposure of trading functions, or confusion between demo/test infrastructure and production trading components.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The tagline tells users the skill is for A-share with ZVT, which conflicts with the manifest identity of a vnpy futures-trading skill. Because this appears in prominent user-facing copy, it materially increases the likelihood of unsafe operator error: wrong market assumptions, wrong framework expectations, and misplaced trust in constraints that do not apply.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The execute trigger is defined by broad semantic matching plus common action verbs, which can cause the skill to run when a user is only discussing backtesting, data collection, or trading concepts rather than explicitly authorizing execution. In a finance/trading context, unintended invocation is especially dangerous because it can lead to market-affecting actions, data pulls, or workflow execution with financial consequences.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The listed trigger phrases include generic terms like 'backtesting', 'RQData', 'CSI300 data', and similar common user language that may appear in ordinary conversation. Because this skill covers trading and data operations, such overlap raises the chance of accidental activation and execution of nontrivial workflows without clear user intent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises automatic trading execution and market data downloads but does not present an upfront warning about live-order risk, broker/account effects, external data usage, or the distinction between backtesting and production trading. In a financial skill, missing safety disclosure increases the likelihood that users invoke sensitive operations without understanding that real assets, credentials, quotas, or compliance obligations may be affected.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Phrases like 'Just tell me what you want; I'll write the code' are overly broad and can cause the skill to trigger on generic quant or coding requests outside its intended scope. In a trading context, broad invocation language increases the chance of unintended activation, user confusion, and generation of automation code for unsupported or risky workflows.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The use cases explicitly describe live and automated futures trading capabilities, including remote/RPC operation and script-based trading, but provide no warning about real-money execution, operational risk, or the need for safeguards. In a trading skill, this omission is security-relevant because users may run examples against live broker connections or remote services without understanding the financial and system impact of automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal