Back to skill

Security audit

ima-0625

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent stock-analysis tool, but its optional social scanners handle sensitive X/Twitter session credentials and environment variables too broadly.

Install only if you are comfortable with a finance tool that contacts Yahoo Finance, CoinGecko, Google News, Reddit, SEC sources, and optionally X/Twitter. Avoid the X/Twitter social scanners unless you understand that AUTH_TOKEN and CT0 are sensitive session credentials; keep .env out of version control, store only the needed values, and rotate/revoke them if exposed. Portfolio and watchlist files persist locally and ticker interests may be sent to third-party market-data services. Treat all trading signals as informational, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (27)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
95% confidence
Finding
result = subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output=True, text=True, timeout=30, env=env

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and demonstrates capabilities that require shell execution, network access, and local file read/write, but it declares no explicit permissions. This creates a transparency and governance gap: users or a hosting platform may approve the skill without understanding that it can fetch external data and persist portfolio/watchlist information locally, increasing the risk of over-privileged execution and unintended data exposure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script loads local portfolio holdings from another module and then uses those tickers in outbound requests to Yahoo Finance and possibly other providers, without an explicit user consent or privacy notice at the point of use. In a skill context, portfolio holdings can be sensitive financial data, and silent transmission of those identifiers expands data exposure beyond what users may expect from a simple market-analysis tool.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads arbitrary key/value pairs from a local `.env` file and injects them into the process environment before performing multiple outbound network operations and launching a subprocess. This creates unnecessary credential exposure and broadens the blast radius because unrelated secrets in `.env` become available to all downstream code and the external `bird` binary.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The hot scanner invokes an external CLI to query Twitter/X, which is risky in a skill whose purpose is market analysis because the CLI may be untrusted, swapped on PATH, or able to access host credentials and environment variables. This is more dangerous here because the script already loads `.env` and then passes environment state to the subprocess, increasing the chance of credential leakage or unintended external actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The plan explicitly includes Mixpanel/Amplitude and Sentry for analytics and error tracking, but the document does not mention any user-facing consent flow, disclosure, or controls over telemetry collection. In a consumer finance app handling portfolios, subscriptions, and potentially sensitive behavioral data, silent analytics collection increases privacy and compliance risk, especially under GDPR/CCPA-style regimes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to extract `AUTH_TOKEN` and `CT0` session tokens from browser cookies and store them in a local `.env` file. These are sensitive authentication artifacts; if leaked through logs, backups, shell history, repo commits, or local compromise, they could allow unauthorized access to the user's X/Twitter session. In this skill context, the feature is optional and tied to social sentiment scraping, so the risk is not core to stock analysis but is still materially dangerous because it normalizes unsafe credential-handling practices.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill states that portfolio and watchlist data are stored under the user's home directory, but it does not clearly warn users that potentially sensitive financial tracking data will persist locally. Even if the data is not highly regulated, portfolio holdings, targets, and alerts can reveal private investment behavior and could be exposed to other local users, backups, or telemetry if not expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently frames itself as producing clear BUY / HOLD / SELL signals near its core capability description without an equally prominent upfront warning that outputs are not financial advice and may materially influence real investment decisions. In a finance-oriented skill, this can encourage overreliance on the tool's recommendations, especially by inexperienced users, increasing the chance of harmful financial decisions based on incomplete, delayed, or uncertain data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to obtain Twitter/X session credentials from browser cookies and place them in a local .env file or environment variables, but it does not warn that these values are highly sensitive session tokens that can grant account access. Encouraging manual cookie extraction and local storage without security guidance increases the chance of credential leakage, account takeover, privacy exposure, or accidental commit of secrets.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The usage guide documents portfolio creation, adding holdings, and watchlist management commands that modify persistent user data, but it does not clearly warn users that these actions write or alter stored state. This can lead to accidental data creation or modification, especially when users copy-paste examples assuming they are read-only or ephemeral.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Portfolio analysis handles potentially sensitive holdings information, and even sending only tickers to third-party providers can reveal personal investment interests or strategy. Because this occurs automatically after reading local portfolio data, the privacy risk is materially higher than ordinary single-ticker analysis and is not clearly surfaced to the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script loads all key-value pairs from a local .env file into process environment variables, then later forwards the inherited environment to an external CLI. That can unintentionally expose secrets unrelated to this feature to the Bird binary or any downstream logging, crash reporting, or child processes, creating a real credential-leak and data-minimization problem.

Missing User Warnings

Low
Confidence
79% confidence
Finding
This function performs outbound HTTP requests with browser-like headers and silently swallows errors, but the script gives only minimal console messaging about what remote services are queried and what data is sent. In a skill context, undisclosed network access is a meaningful trust and privacy issue because users may not realize the tool sends search terms to external providers and retrieves untrusted content.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
Confidence
99% confidence
Finding
os.environ.copy()

Env Variable Harvesting

High
Category
Data Exfiltration
Content
for query in queries[:4]:  # Limit to avoid rate limits
        try:
            cmd = [BIRD_CLI, 'search', query, '-n', '10', '--json']
            env = os.environ.copy()
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
Confidence
95% confidence
Finding
os.environ.copy()

Env Variable Harvesting

High
Category
Data Exfiltration
Content
for query in queries[:3]:
        try:
            cmd = [BIRD_CLI, 'search', query, '-n', '15', '--json']
            env = os.environ.copy()
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
Confidence
95% confidence
Finding
os.environ.copy()

Unvalidated Output Injection

High
Category
Output Handling
Content
for category, query in searches:
                try:
                    env = os.environ.copy()
                    result = subprocess.run(
                        [bird_bin, "search", query, "-n", "15", "--json"],
                        capture_output=True, text=True, timeout=30, env=env
                    )
Confidence
95% confidence
Finding
subprocess.run( [bird_bin, "search", query, "-n", "15", "--json"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
cmd = [BIRD_CLI, 'search', query, '-n', '10', '--json']
            env = os.environ.copy()
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
            
            if result.returncode == 0 and result.stdout:
                try:
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
cmd = [BIRD_CLI, 'search', query, '-n', '15', '--json']
            env = os.environ.copy()
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, env=env)
            
            if result.returncode == 0 and result.stdout:
                try:
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

Credential Access

High
Category
Privilege Escalation
Content
from collections import defaultdict
from concurrent.futures import ThreadPoolExecutor, as_completed

# Load .env file if exists
ENV_FILE = Path(__file__).parent.parent / ".env"
if ENV_FILE.exists():
    with open(ENV_FILE) as f:
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
from concurrent.futures import ThreadPoolExecutor, as_completed

# Load .env file if exists
ENV_FILE = Path(__file__).parent.parent / ".env"
if ENV_FILE.exists():
    with open(ENV_FILE) as f:
        for line in f:
Confidence
95% confidence
Finding
.env"

Self-Modification

High
Category
Rogue Agent
Content
- [ ] Add timeout per indicator (10s max)
- [ ] Test with multiple stocks in sequence
- [ ] Measure actual runtime improvement
- [ ] Update SKILL.md with new runtime (target: 3-4s)

**Expected Impact**:
- Reduce runtime from 6-10s to 3-4s per stock
Confidence
85% confidence
Finding
Update SKILL

Self-Modification

High
Category
Rogue Agent
Content
- Extreme risk (80-100): -0.5 (bearish)
- [ ] Add to sentiment analysis as 6th indicator
- [ ] Test with historical crisis periods
- [ ] Update SKILL.md with geopolitical indicator

**Expected Impact**:
- Early warning for market-wide risk events
Confidence
85% confidence
Finding
Update SKILL

Tool Parameter Abuse

High
Category
Tool Misuse
Content
GET  /portfolios
   POST /portfolios
   PUT  /portfolios/{id}
   DELETE /portfolios/{id}

   GET  /portfolios/{id}/assets
   POST /portfolios/{id}/assets
Confidence
80% confidence
Finding
DELETE /portfolios/{id}

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.