Back to skill

Security audit

Warren Buffet's Brain

Security checks across malware telemetry and agentic risk

Overview

This is a coherent investment-research skill with disclosed helper commands, and I found no evidence of hidden data theft, destructive behavior, or automatic unsafe execution.

Install only if you want a finance research workflow that may fetch public filings and, when explicitly used for maintenance, write local research files. Treat BUY/PASS outputs as research rather than financial advice, review generated file changes before committing them, avoid running corpus/learn/evolve on private documents unless you intend their contents to influence the local framework, and use the local preview server only on trusted networks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no required permissions, but its documented behavior and associated tooling indicate access to environment data, filesystem read/write, and shell-like operations. This mismatch can cause a host or reviewer to trust the skill as low-risk while it can actually modify local files or invoke external commands, which meaningfully expands attack surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a stock-analysis research tool, but the detected behavior includes unrelated and higher-risk actions such as browsing directories outside the repository, editing knowledge files, generating artifacts from arbitrary local files, and using subprocesses. That description-behavior mismatch is dangerous because users may invoke the skill expecting passive analysis while it can access local data, persist changes, package content, or exfiltrate information indirectly via generated bundles or clipboard operations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to be grounded in cached company cards and strict point-in-time analysis, but these instructions explicitly authorize live fetching from SEC EDGAR and creation of new persisted artifacts when a card is missing. That expands the skill from a read-only analysis tool into one with network access and write side effects, which increases attack surface, creates reproducibility risks, and can violate user expectations or platform policy.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
These instructions require the agent to append to backtest results and modify index files as part of normal analysis, introducing persistent state changes for what is presented as an analysis/verdict skill. Automatic repository mutation can corrupt benchmarks, poison future runs, and let prompt-driven requests create unauthorized or low-integrity changes without a clear approval boundary.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The card claims strict point-in-time, decision-date-disciplined analysis, but the `analyzed_date` is 2026-03-26 while the analysis is framed around late-2020 inputs. In an investment-analysis skill, this creates a real data-integrity risk because future knowledge may have influenced the memo or its framing, undermining backtest validity and potentially misleading users about what was knowable at the decision point.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The helper script exposes repository mutation, packaging, site generation, and distribution workflows that materially exceed the skill's stated analysis purpose. In an agent setting, this expanded capability increases the chance that a user or orchestrator invokes file-writing or packaging actions unexpectedly, causing unauthorized workspace changes or unintended data redistribution.

Context-Inappropriate Capability

Medium
Confidence
73% confidence
Finding
The script can start a local HTTP server and publish generated repository-derived content, which is beyond what a stock-analysis skill needs. In agent or shared environments, this may expose local research artifacts or sensitive workspace contents over the network if launched inadvertently, especially because it binds to all interfaces via `('', args.port)`.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The code trusts an environment variable to point at an arbitrary local corpus tree and then browses and reads from that location in support of learning workflows unrelated to the core cached-card analysis. In an agent context, this broadens the accessible local file surface and can lead to unintended disclosure of document names or contents from user-controlled paths.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `learn` and `evolve` commands ingest arbitrary local files, generate prompts from their contents, and append user-supplied text directly into repository state. This creates a real integrity risk for agent-driven use: unreviewed local content can be exfiltrated into prompts, and repository files can be modified without strong guardrails or provenance checks.

Vague Triggers

Low
Confidence
90% confidence
Finding
The control-group entries say `conclusion: "PASS"` while the accompanying text explains the companies fail key gates and do not improve the investment case. In a skill that may be consumed by downstream agents or rules, this semantic inconsistency can cause incorrect routing, scoring, or BUY/PASS decisions if systems key off the label instead of the narrative.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `evolve` workflow writes directly to `buffett_brain.md` after interactive input, but it does not present an explicit warning that repository state will be changed or require a final confirmation before committing the mutation. In agent-assisted environments, that makes accidental or prompt-induced modification of tracked files more likely, harming integrity and auditability.

Ssd 3

Low
Confidence
90% confidence
Finding
The file embeds user-specific absolute local paths such as /Users/pineapple/... which reveal workstation structure, usernames, project layout, and private document locations. If surfaced to end users or logs, this can leak environmental details that aid reconnaissance, social engineering, or targeted follow-on attacks, even though the immediate impact is limited.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.