Weather Trader

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent weather-market trading tool, but it needs Review because live financial actions are broader and less guarded than users may expect.

Install only if you intentionally want an agentic trading tool with API/wallet access. Keep it in dry-run until you verify the resolved venue, set very small max position and max trades limits, avoid --quiet and --no-safeguards for real-money use, and do not use --resume unless you deliberately want to clear the loss circuit breaker. Review or disable local trade logs if strategy or account activity is sensitive, and treat auto-tune against other skill paths as unsafe unless the target code is trusted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script performs a filesystem write as part of normal report generation because `if args.snapshot or not args.quiet:` causes snapshot creation whenever table output is enabled. That behavior contradicts the tool's apparent read/report purpose and can create unexpected side effects, such as overwriting `performance_snapshot.json` or triggering automation that watches that file.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The usage text states that snapshot writing happens with `--snapshot`, but the implementation writes a snapshot even without that flag. This mismatch is security-relevant because operators may run the script expecting read-only behavior while it silently modifies local state, which can mislead audits and break assumptions in automated environments.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The CLI accepts arbitrary skill names and paths derived from user-controlled arguments, then reads files from sibling directories and in the auto-tune path dynamically loads a trader Python file from that target directory. In a multi-skill environment, this breaks intended isolation and can expose data from other skills or execute unintended local code when pointed at a malicious sibling directory.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The skill loads a project-root .env file automatically, which can ingest unrelated secrets and configuration from outside the skill's declared purpose. In a multi-skill or shared workspace, this widens the trust boundary and may cause the trader to consume sensitive values it should not access, especially when paired with networked trading behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly supports real-money trading via Polymarket USDC and includes commands for live execution, but it does not present a prominent warning about irreversible financial loss, market risk, or the consequences of automated execution. In a trading skill, omission of explicit risk acknowledgment materially increases the chance of unsafe use, especially when the same quick-start section normalizes live mode alongside dry-run mode.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: Automatic snapshot creation without a prominent explicit warning introduces an unnecessary side effect in a reporting command. While this is not direct code execution or privilege escalation, it can still leak or persist trading performance data and may unexpectedly overwrite artifacts in environments where report commands are assumed to be non-mutating.

Missing User Warnings

High

Confidence: 89% confidence
Finding: The --resume path deletes circuit_breaker.json immediately with no confirmation, authorization check, or safety interlock. In a trading skill, that can bypass a loss-prevention control and allow resumed live trading after repeated failures, increasing the chance of financial loss or abuse by anyone able to invoke the CLI.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The auto-tune flow dynamically imports and executes a trader module from a path built from user-provided skill input using spec.loader.exec_module(module). That is arbitrary local code execution within the current process if an attacker can place or select a malicious sibling skill directory, which is especially dangerous in a trading environment that may hold wallet access, API credentials, or filesystem permissions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The default runtime logic can result in live behavior when TRADING_VENUE=sim, without a prominent confirmation at the point of decision. For a financial trading skill, ambiguous execution mode is dangerous because users may place real or consequential trades under mistaken assumptions about simulation versus live execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal