All Weather Strategy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ETF portfolio analysis skill that fetches market data and can generate reports, with financial-advice and dependency hygiene caveats but no hidden account access, persistence, exfiltration, or destructive behavior found.

Install in an isolated Python environment and consider pinning/reviewing dependencies before use. Expect the skill to contact AkShare and yfinance for ETF market data and to create CSV/PDF outputs when report export is used. Treat allocations and forecasts as informational only, not personalized financial advice or a reason to trade without independent review.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill metadata and documentation understate the actual behavior by omitting external data fetching, file/report generation, and CLI functionality while claiming proactive AI guidance that is not implemented. This is dangerous because users and agents may grant the skill broader trust or permissions than intended, leading to unexpected network access, data handling, and output generation without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal