Deep Investment Research

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed investment-research skill that gathers public financial and policy data, writes local research artifacts, and does not show evidence of hidden exfiltration, destructive behavior, or trade execution.

Install only if you are comfortable with investment topics, tickers, watchlists, and research queries being sent to external search and data providers. Keep API keys in normal environment variables, set SEARCH_SKILL_PATH only to a trusted search helper, and use dedicated output directories rather than sensitive shared folders. Treat the results as research input, not automatic trading advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--compact", ] try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=20) if result.returncode != 0: return [] data = json.loads(result.stdout)
Confidence: 94% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=20)

Tainted flow: 'status_path' from os.environ.get (line 317, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: status["agent_notice"] = ("⚠ " + "; ".join(notices)) if notices else "" except (FileNotFoundError, json.JSONDecodeError): pass # No existing file, write fresh with open(status_path, "w") as f: json.dump(status, f, ensure_ascii=False, indent=2) # Summary
Confidence: 80% confidence
Finding: with open(status_path, "w") as f:

Tainted flow: 'SEARCH_SCRIPT' from os.environ.get (line 43, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def search_ministry(name, query, today): """Serper news 兜底：解析相对/绝对日期，按 RECENT_DAYS 过滤，剔除噪音页。""" try: result = subprocess.run( ["python3", SEARCH_SCRIPT, "--query", query, "--provider", "serper",
Confidence: 96% confidence
Finding: result = subprocess.run( ["python3", SEARCH_SCRIPT, "--query", query, "--provider", "serper", "--type", "news", "--time-range",

Tainted flow: 'cmd' from os.environ.get (line 98, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: "--compact", ] try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=20) if result.returncode != 0: return [] data = json.loads(result.stdout)
Confidence: 98% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=20)

Tainted flow: 'output_file' from os.environ.get (line 1019, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: output_dir = DATA_DIR / target_date output_dir.mkdir(parents=True, exist_ok=True) output_file = output_dir / "policy_gov.json" with open(output_file, 'w', encoding='utf-8') as f: json.dump(output, f, ensure_ascii=False, indent=2) return output
Confidence: 84% confidence
Finding: with open(output_file, 'w', encoding='utf-8') as f:

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The methodology explicitly broadens the skill from investment research into political, military, and international 'intelligence' gathering. That materially expands the operational scope beyond the manifest and can cause the agent to collect and synthesize sensitive geopolitical content under the guise of finance research, increasing misuse risk and violating least-privilege/scope expectations.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The template asks for '利好板块/标的' and '利空板块/标的,' which are effectively target-level market implications and can be used as actionable trading guidance. This conflicts with the manifest's claim of 'pure research' and no trading signals/monitoring, creating a deceptive scope mismatch that can enable downstream investment recommendations.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger conditions are broad enough to activate on ordinary discussion of investing, planning, or policy topics, which can cause the skill to run data-collection and networked research flows when the user did not intend that level of action. In this skill's context, over-triggering is more dangerous because activation may disclose sensitive research topics to third-party providers and write local artifacts automatically.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The template hard-codes Chinese-only instructions and output format across the entire prompt, without allowing the caller or downstream user to choose language. In a general-purpose research skill, this can cause policy analysis to be generated in an unintended language, degrading usability, reviewability, and potentially causing misunderstanding in multilingual workflows or automated pipelines that expect another language.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: These instructions direct the agent to fetch arbitrary external URLs and perform searches without any consent, allowlist, or warning that queries and targets will be sent to third parties. That creates data-exposure and SSRF-style risk in agent environments, especially if search results or user-provided topics can influence which URLs are fetched.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs use of multiple external APIs, search providers, and social platforms without warning about privacy, reliability, or data-sharing implications. In an agent setting, this can leak research topics, watchlists, or user-sensitive context to third parties and increase exposure to untrusted content sources.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal