Back to skill

Security audit

掘金量化skill

Security checks across malware telemetry and agentic risk

Overview

This trading skill is mostly purpose-aligned, but it includes exposed API tokens and under-scoped live-trading execution paths that users should review carefully before installing.

Install only if you intend to use GM/掘金量化 trading APIs and understand the financial risk. Rotate or ignore the bundled token, use your own token via environment variables or a secret manager, avoid pasting secrets into chat, and review generated strategies before running them. Treat live mode, account IDs, order placement, close-all, and bond conversion examples as privileged actions that should require explicit manual confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comments instruct users to replace a placeholder token, but the file already contains a concrete API token later in the script. This creates a strong risk of accidental credential exposure, unauthorized API use, quota consumption, and possible access to sensitive account-linked market or brokerage data if the token is valid.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a fallback API token and automatically uses it if GM_TOKEN is absent, which grants authenticated access to a third-party service. In a skill/test artifact, this is dangerous because anyone who can read or run the file may misuse the credential, incur charges, access licensed premium data, or cause the token owner’s account to be rate-limited or suspended.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes a live-looking API token directly in source code and then uses it for authenticated SDK access. Embedded credentials are easily leaked through source control, logs, package distribution, or prompt/context exposure, allowing unauthorized use of the associated account or data services. In this skill context, the danger is increased because the file is a test script likely to be shared broadly and run by others.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly instructs users to paste their trading platform token into chat and says it will be automatically saved. Collecting secrets through a conversational channel increases the risk of credential exposure via logs, model context retention, screenshots, or mishandling, especially because the token appears to grant access to brokerage/quant platform functions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic generation and execution of trading strategies and also advertises live/simulated trading, but does not place strong safety gates before execution. In this context, generated code can place orders, alter positions, or cause financial loss if users run it without review, and the danger is amplified by the financial/trading domain.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger surface is extremely broad, covering many generic finance and API terms, which can cause the skill to auto-load in contexts where the user did not intend to enable an execution-capable trading assistant. In this skill, that matters because loading can steer the agent toward code generation, shell-based execution, and token-handling workflows. Broad unsolicited activation increases the chance of unsafe actions in financial contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The report exposes part of a live authentication token and normalizes handling it in documentation without any credential-safety guidance. Even partial token disclosure can aid secret identification, and in a trading SDK context tokens authorize authenticated market-data or account-related API access, making poor secret hygiene more dangerous.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The one-click run section tells users to export `GM_TOKEN` and execute a test script, but does not warn that this will perform authenticated API calls against the user's account or subscription. In a financial/trading skill, that omission increases the chance users run code without understanding data access, quota consumption, billing, or account-context implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document explicitly suggests putting the token directly into the script, which encourages hardcoding secrets into code that may later be committed, shared, or logged. For a quant/trading SDK, leaked tokens can expose account-linked API capabilities and create downstream compromise risk if repository or local files are accessed by others.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start document includes examples for live/simulated trading and order placement but does not clearly warn users that switching to live mode can submit real orders or cause financial loss. In a quant trading skill, users may copy examples directly, so the absence of explicit safety guidance increases the chance of accidental real-world trading actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to place an authentication token directly in code (`set_token('YOUR_TOKEN_ID')`) and notes it may also be passed into `run(...)`, but provides no warning that the token is a secret or guidance on secure storage. In an SDK skill focused on quant trading workflows, users may copy-paste examples into repositories, notebooks, logs, or shared strategy files, increasing the chance of credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes `order_close_all()` as a one-click account-wide liquidation action but does not prominently warn that it will flatten all positions in the current account. In a trading skill, this can lead users or downstream agents to trigger irreversible financial actions without adequate confirmation or scope awareness, especially if examples are copied directly into live strategies.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This document provides direct examples for algorithmic order placement, cancellation, and account/position/fund queries against what appear to be live trading APIs, but it does not warn users about real-account execution risk, credential sensitivity, or the need to use sandbox/test environments. In an agent-skill context that may be auto-loaded for trading-related prompts, this increases the chance that users or downstream agents invoke high-impact actions or expose sensitive financial/account data without appropriate safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation exposes live-trading functions for convertible bond conversion, put-back, and cancellation in a real-money environment, but it does not provide a clear warning that these actions can trigger irreversible financial transactions. In an agent skill context, users may rely on examples verbatim, increasing the chance that an assistant suggests or generates execution-ready code that causes unintended trades or asset conversion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide shows a chat command that switches a strategy to live trading, but the invocation example itself does not warn that this can immediately place real market orders with real funds. In a trading skill, actionability from natural-language chat is highly sensitive, and omission of an inline warning/confirmation step materially increases the chance of accidental or socially engineered live execution.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The WeChat example for switching to simulation mode omits that this can start automated trading activity from a mobile chat channel. Even though simulation does not risk real funds directly, it can trigger order generation, consume connected resources, and normalize unsafe remote control patterns that are one step away from live trading.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The WeChat section promotes strategy management from a less controlled interface without warning that mobile chat commands could trigger sensitive actions, including mode changes and automated trading. In this skill context, remote conversational control over trading workflows increases the risk of accidental commands, account compromise, message spoofing, or misuse by someone with temporary device access.

Missing User Warnings

High
Confidence
94% confidence
Finding
The script can run in live mode based solely on the GM_RUN_MODE environment variable and immediately submits real trading orders through order_target_volume without any explicit confirmation, dry-run gate, or safety interlock. In a trading skill, this is materially dangerous because accidental deployment, misconfiguration, or unauthorized environment changes could trigger real-money trades and portfolio changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script can run in live mode based solely on GM_RUN_MODE and immediately enables automated order placement through the same code path used for backtesting. In a skill context, this is dangerous because a user may load or execute the strategy expecting analysis/help, yet the code is capable of placing real buy and sell orders without an explicit interactive acknowledgement or safety gate.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API token is a real secret exposure. Anyone who obtains the script can reuse the credential to access the associated gm account/API context, potentially reading sensitive financial/account information or performing actions permitted by that token. In a trading SDK skill, this is more dangerous because the credential may grant access to brokerage-like account data and possibly trading-related operations.

Missing User Warnings

High
Confidence
100% confidence
Finding
A live API token is hardcoded directly in source code, which is a classic credential exposure issue. In this skill context, the script also accesses account/order/position APIs, making the token more dangerous because an attacker who obtains it may be able to query sensitive financial account information or abuse the associated service.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using a hardcoded fallback token without an explicit warning means the script silently authenticates as someone else, which violates least surprise and can mask unauthorized use. This increases the chance of accidental data access, billing abuse, and redistribution of a live credential through the repository or downstream copies.

Missing User Warnings

High
Confidence
98% confidence
Finding
The hardcoded token is not merely present; it is actively passed to set_token() and used for authenticated network access without any warning, consent, or indication that running the test will consume a real credential. This can cause unintended account usage, quota consumption, billing exposure, or disclosure of account-linked market data when someone executes the script as-is.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.