Security audit

BitSoulStockSkill

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stock-analysis purpose, but its remote data-update path and token handling need review before installation.

Install only if you trust the BitSoul/aicodingyard service and are comfortable with remote data packages updating local files. Use a limited token, keep the env file private, consider an isolated BITSOUL_CACHE_DIR, avoid automatic update/train calls, and treat buy/sell outputs as informational rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (29)

Tainted flow: 'download_url' from requests.get (line 1702, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: log(f"开始下载 {file_name} ...") log(f"下载地址: {download_url}") with requests.get(download_url, stream=True, timeout=300) as response: if response.status_code != 200: log(f"下载失败，HTTP 状态码: {response.status_code}") if retry < max_retries - 1:
Confidence: 92% confidence
Finding: with requests.get(download_url, stream=True, timeout=300) as response:

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documented API allows local database mutation via update_data() and later maintenance operations, which expands the skill from passive stock analysis into state-changing system behavior. In an agent setting, undocumented or weakly disclosed write/update capabilities can cause unintended downloads, persistent changes, and supply-chain exposure if invoked automatically or by prompt manipulation.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Exposing train_moe_weights() with automatic writes to moe_weights.json gives the agent a persistent model-modification capability beyond answering stock questions. This can alter future behavior across sessions, create hard-to-audit state drift, and be abused through prompt injection or accidental triggering to degrade integrity of later recommendations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: download_from_url accepts an arbitrary URL and writes the response body to an arbitrary output path without host restrictions or content validation. Exposing a generic file-download primitive is dangerous because it can be repurposed beyond stock-data use, enabling retrieval of attacker-controlled payloads and local file placement for later misuse.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This file implements a custom file encryption/decryption utility unrelated to the stated stock-analysis purpose of the skill, which is a strong indicator of hidden or unnecessary capability. The implementation is also cryptographically unsafe because it uses Python's Mersenne Twister PRNG as a stream cipher, making any protection weak and enabling misuse for covert file transformation or data hiding.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The TEMA implementation does not compute EMA-of-EMA-of-EMA as documented; it reuses the same EMA result three times, collapsing the formula into an incorrect value. In a stock-analysis skill, silently wrong indicators can mislead downstream trading decisions, backtests, and risk judgments while appearing trustworthy because of the detailed docstring and cache layer.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The MACD function advertises full MACD/Signal/Histogram output but returns a placeholder where signal equals MACD and histogram is always zero. In this skill's financial context, that can directly suppress crossover and momentum signals, producing systematically false buy/sell interpretations and unsafe automation if other components trust the output.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The SAR function returns only an initialized seed value and trend flag instead of iterating the Parabolic SAR algorithm across candles. Because the output looks structurally valid, callers may treat it as real trend/reversal data and make erroneous trading or alerting decisions based on fabricated results.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The DEMA implementation calls the same EMA function twice with identical inputs and date, making DEMA reduce to a plain EMA instead of 2*EMA - EMA(EMA). In a quantitative indicator library, this kind of silent formula substitution can poison signals, model features, and backtest results while remaining hard to detect.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The script exposes a training mode that changes system behavior over time by optimizing and persisting model weights, which goes beyond a read-only analytics skill. In agent environments, hidden state-changing modes can undermine reproducibility, create hard-to-audit behavior drift, and violate least surprise if users expect pure analysis rather than mutation of local configuration.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: save_weights() writes optimized parameters to moe_weights.json, creating persistent local state that affects future recommendations. If invoked unexpectedly, this can silently alter outputs across sessions, reduce integrity of analysis, and make behavior non-deterministic or manipulable by anyone able to trigger training.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The code monkey-patches functions in the imported indicators module at runtime, altering global module behavior for the process. This can create integrity and concurrency hazards: other code using the same module may observe modified behavior, and failures during patching/unpatching can leave the process in an inconsistent state.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The code transmits user trading-performance metrics and positions to a remote leaderboard, but this behavior is not clearly justified by the skill's stock-analysis description. Undisclosed outbound sharing of portfolio/performance data creates privacy and data-governance risk, especially because positions may reveal sensitive investment activity.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The file includes patch management, file download, version checks, and decryption-key retrieval features that are broader than the stated stock-analysis purpose. Hidden auxiliary service capabilities increase attack surface and can enable delivery or unlocking of remote content without users understanding that the skill performs software-update style operations.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill requests decryption keys for arbitrary file names from a remote service, a powerful capability not justified by a stock-analysis tool. This can facilitate unauthorized access to protected content or covert delivery of encrypted payloads that are only unlocked at runtime, making review and monitoring harder.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The embedded test harness performs token validation, benchmark retrieval, and yield submission using live outbound requests, which extends behavior into account/service management beyond the skill's declared function. Shipping such harnesses in production-facing code risks accidental execution and unintended disclosure or misuse of service credentials.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code provides generic download and ZIP extraction primitives that can write attacker-controlled content to disk, and the extraction uses zipfile.extractall() without validating archive member paths. If an untrusted ZIP is ever supplied, this can enable path traversal ('zip slip') and arbitrary file overwrite outside the intended directory.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: A generic archive extraction helper is dangerous in a skill context because it expands the file-system attack surface without any checks on archive contents. In this stock-analysis skill, that capability is not obviously required and becomes more suspicious because it could be reused by other code paths to stage or overwrite files on the host.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases for analysis actions are broad enough to match ordinary financial conversation, which can cause the skill to invoke higher-risk remote analysis flows or produce authoritative trading guidance when the user did not clearly request that behavior. In a finance skill, ambiguous activation increases the chance of unintended external calls, overcollection of stock data, and accidental presentation of investment advice with unjustified confidence.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The random-factor-mining trigger list includes vague phrases like '碰碰运气' and '随机推荐', which are common conversational expressions and can unintentionally activate backtesting/mining behavior. Because this action may perform remote calls and generate speculative investment outputs, accidental invocation is more dangerous in this stock-analysis context than in a low-stakes domain.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases for random_alpha_backtest include broad natural-language expressions like '随机推荐' and '碰碰运气', which can match ordinary conversation and cause the agent to run a powerful backtesting workflow unintentionally. In an autonomous tool-selection context, ambiguous triggers increase the risk of unexpected resource use and unauthorized financial-analysis actions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The buy/sell signal trigger is described with very broad phrases such as whether a stock 'can be bought' or 'should be sold,' without clear exclusions or confirmation boundaries. This makes it easier for unrelated or ambiguous discussion to invoke actionable trading analysis, increasing the chance of unintended financial guidance or tool misuse.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The training trigger phrases like '优化权重' and '重新训练' are generic and can collide with many unrelated user intents, yet they invoke a state-changing optimization routine with persistent side effects. Because the operation writes new weights that affect future outputs, accidental or adversarial triggering can materially change the skill's behavior over time.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that update_data() will automatically download and import missing data, but does not clearly warn about network access, storage changes, bandwidth consumption, or trust assumptions for downloaded patches. Hidden side effects are dangerous in agent environments because users may believe they are invoking passive analysis while the skill performs external fetches and local mutations.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The code opens arbitrary input and output file paths and performs writes with no warning, confirmation, or visible disclosure to the user. In an agent skill context, silent file-writing behavior increases the risk of destructive overwrites, unauthorized modification of local data, or covert staging of transformed files without user awareness.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal