Back to skill

Security audit

public-dot-com

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Public.com brokerage skill that can access account data and place or cancel real orders, so it is high-impact but coherent with its stated purpose.

Install only if you intend to let an agent access your Public.com account and potentially place or cancel real orders. Use an isolated environment, preinstall and review the SDK dependency where possible, keep the API secret tightly scoped, and require explicit confirmation for every live trade or automated strategy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import PublicApiClient, PublicApiClientConfiguration
    from public_api_sdk.auth_config import ApiKeyAuthConfig
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from public_api_sdk.auth_config import ApiKeyAuthConfig
except ImportError:
    print("Installing required dependency: publicdotcom-py...")
    subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])
    from public_api_sdk import (
        PublicApiClient,
        PublicApiClientConfiguration,
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "publicdotcom-py==0.1.8"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to read secrets from the environment/secure files, read local files, and execute shell commands, yet it declares no permissions. In a finance skill that can place trades, this mismatch is risky because users and policy layers may not understand that the skill can access account credentials and run commands that affect a brokerage account.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file substantially expands the skill from basic brokerage interaction into a full options-strategy automation playbook, including complex multi-leg structures and execution logic. In a brokerage-integrated skill, this scope expansion is dangerous because it normalizes and enables high-risk trading behavior that can trigger unauthorized or poorly understood real-money transactions far beyond what a user might expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The recurring wheel loop and monitoring/management helpers describe autonomous trading behavior that can continue placing or influencing orders over time without fresh user approval. In a live brokerage context, persistent automation materially increases the chance of unintended trades, runaway losses, or repeated account impact from stale assumptions or changing market conditions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The event-driven engines ingest earnings, macro, and premarket signals to systematically select and execute strategies not disclosed in the manifest. This makes the skill more dangerous because external-event triggers can drive autonomous real-money trading decisions at scale, especially around volatile market windows where losses can accelerate quickly.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Installing a Python package during execution is unnecessary for canceling a brokerage order and creates avoidable supply-chain risk. In this financial-account context, pulling and executing package code on demand is especially sensitive because the script also handles API secrets and account operations, so a compromised dependency could directly affect account integrity or leak credentials.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically installs a dependency at runtime even though its purpose is only to retrieve brokerage account information. This introduces unnecessary capability, creates supply-chain risk, and allows the skill to modify the host environment and execute third-party code beyond the user's expected brokerage interaction.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Installing a Python package at runtime is not necessary for fetching brokerage history and introduces avoidable supply-chain risk. In the context of a brokerage skill that handles account identifiers and API secrets, silently pulling and executing package code is more dangerous because compromise of the dependency path could expose sensitive financial data or alter account-related behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The fallback behavior installs a Python package during normal script execution, which adds code execution capability unrelated to the core brokerage-account function of fetching an instrument. In a finance-oriented skill that handles API secrets and account context, pulling code at runtime is especially risky because a compromised package or index could execute with access to sensitive credentials and account metadata.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing a Python package via pip at runtime is risky in this brokerage-account skill because it introduces external code into a sensitive workflow that handles account identifiers and API secrets. A compromised package, dependency confusion event, or malicious install hook could run arbitrary code in the user's environment before any brokerage action occurs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Installing a Python package during script execution is not necessary to fetch option expirations and is especially risky in a financial-account integration context. This behavior expands the trust boundary to external package infrastructure at execution time and can introduce unreviewed code into an environment that may contain brokerage API secrets and account identifiers.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing a Python package on demand is not necessary for the core business logic of fetching option greeks and creates avoidable supply-chain exposure. In a brokerage-related skill that handles account credentials, executing package install hooks or pulling compromised dependencies is especially risky because the environment likely has access to sensitive API secrets.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Installing a Python package at runtime is unnecessary for basic brokerage account interaction and expands the skill's privileges beyond its stated purpose. This creates a preventable supply-chain attack surface: a malicious or substituted package can execute code immediately and access API secrets, account identifiers, and account data processed by the script.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.