Irr

Security checks across malware telemetry and agentic risk

Overview

The skill does not appear to access data or run hidden actions, but its finance reference content is generic and does not match its advertised IRR purpose.

Review this before installing if you expect reliable finance guidance. It appears low-risk from a system-security perspective, but its IRR material is too generic to rely on for calculations, compliance, investment decisions, or downstream agent workflows without independent verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script is presented as an IRR finance reference tool, but nearly all command output is generic placeholder text rather than accurate Internal Rate of Return guidance. In a finance context, misleading or fabricated reference content can cause users or downstream agents to rely on incorrect information for calculations, compliance, or investment decisions, creating integrity and decision-support risk.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The inline documentation and command names strongly imply authoritative IRR finance reference material, but the actual outputs discuss an undefined generic subject ('Irr') and unrelated boilerplate concepts. This mismatch increases the chance that users or agents will trust the tool's branding and consume inaccurate content, which is especially risky in finance where precision and compliance matter.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal