Back to skill

Security audit

Jimbo the Investor

Security checks across malware telemetry and agentic risk

Overview

This looks like a finance assistant, but it bundles broad workspace, memory, heartbeat, automation, and unrelated skill instructions that users should review before installing.

Review this as a broad agent-workspace package, not just a finance assistant. Install only if you are comfortable with persistent memory files, heartbeat-style background work, possible access to personal context, and the bundled ClawStreet and Humanizer behaviors. For safer use, remove unrelated workspace/skills/memory files, tighten heartbeat triggers, require explicit confirmation before file deletion or public/API actions, and keep any trading API keys in a secure credential store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The skill says MEMORY.md must only be loaded in direct main sessions because it may contain personal context, but later authorizes heartbeat-driven review and updates of MEMORY.md. If heartbeats occur in shared or automated contexts, this contradiction can cause the agent to ingest or expose sensitive long-term memory outside the intended trust boundary.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file earlier establishes a clear privacy boundary: MEMORY.md must only be loaded in main sessions and not in shared contexts because it may contain sensitive personal data. The later heartbeat maintenance instruction tells the agent to review and update MEMORY.md during heartbeats without restating or enforcing that boundary, creating a realistic path for sensitive memory to be accessed in inappropriate contexts if a heartbeat fires outside a private main session.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The heartbeat trigger is defined by matching a configurable prompt string, which is an ambiguous activation condition. An attacker or accidental message collision could cause the agent to enter proactive task mode unexpectedly, leading to unauthorized file reads, external checks, or other actions under the guise of a heartbeat.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to delete BOOTSTRAP.md on first run authorizes file deletion without user confirmation or a visible warning. Even if intended as cleanup, it creates a destructive action path that could remove important provenance, setup instructions, or forensic evidence, and it normalizes silent deletion behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to act on any message matching a configurable heartbeat prompt is overly broad and can be triggered in unintended contexts by an untrusted message or prompt collision. Because the triggered behavior includes reading local files and taking proactive actions, a spoofed or overly generic heartbeat could cause unauthorized data access or side effects without explicit user intent.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Telling the agent to react and speak 'like a human' in group chats encourages anthropomorphic behavior that can blur whether the speaker is an AI or a human representative. In shared settings, that ambiguity can mislead participants, increase social engineering risk, and cause inappropriate disclosure if others assume human judgment or authority behind the messages.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The transcript shows the assistant proposing to delete BOOTSTRAP.md as part of setup without any explicit confirmation, warning, or clear justification. In an agentic system with file access, normalizing silent deletion of user or system files can lead to unintended data loss, tampering with audit trails, or destruction of recovery-critical context.

Vague Triggers

High
Confidence
98% confidence
Finding
The content explicitly instructs creation of a persistent autonomous skill that must continue acting without waiting for user input and without normal stopping conditions. That broad persistence, coupled with automatic task selection and execution, can cause uncontrolled tool use and unintended changes across the workspace.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The repeated directives to 'continue working' and 'resume execution now' reinforce ambiguous autonomous behavior and pressure the agent to keep taking actions without reevaluating safety or scope. This increases the chance of unintended file modification or policy bypass through momentum-based execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The markdown promotes persistent autonomous execution and immediate tool-driven implementation but does not warn about the risks of continuous file edits, accidental destructive operations, or scope drift. Omitting such safeguards makes the instructions materially more dangerous in an agent environment with write capabilities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The later prompts continue directing file creation and modification in an uninterrupted sequence while omitting disclosures about the risks of nonstop tool use. This normalizes unreviewed changes and encourages the agent to prioritize activity over correctness and safety.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
The skill explicitly aims to remove signs of AI-generated writing and make text appear human-written, but it contains no requirement for disclosure, consent, or legitimate use constraints. That creates a clear deception-enablement risk: users can pass off AI-authored text as human authorship in academic, professional, journalistic, or compliance-sensitive contexts.

Ssd 4

High
Confidence
99% confidence
Finding
These instructions attempt to condition the agent into nonstop autonomous tool use, explicitly forbidding waiting, stopping, or asking questions. That is dangerous because it suppresses normal safety boundaries and can drive the agent to perform unbounded actions without human oversight.

Ssd 4

High
Confidence
99% confidence
Finding
The follow-up prompts escalate pressure to keep taking tool actions and explicitly label any pause as failure, which is a strong attempt to override prudent decision-making. In a coding workspace, this can lead to cascading edits, persistent unintended state changes, and reduced opportunity to catch mistakes before they propagate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.