Back to skill

Security audit

SASAC Performance Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a coherent financial benchmarking and report-generation skill, but users should treat inputs and generated reports as sensitive business data.

Install only if you are comfortable using it for local financial analysis. Use public or authorized financial documents, choose output paths carefully, delete generated reports that contain sensitive data, and verify results for lower-is-better metrics such as debt ratio or cost ratios before relying on recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This is a real logic flaw in the scoring engine: for metrics where lower values are better, the benchmark thresholds are reassigned in a way that inverts the intended ordering and can mis-score enterprises. In this skill’s context, incorrect performance scoring can lead to materially wrong benchmarking, grades, and management recommendations, which is a business-integrity issue rather than a traditional code-execution security issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automated prospectus parsing and external data acquisition, which implies ingestion of potentially sensitive financial or pre-public filing data, but it provides no notice about privacy, data handling, consent, retention, or external transmission. In an AI skill context, this omission can lead users to submit confidential documents or trigger network access without understanding where data goes or how it is processed.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The markdown describes generation of HTML/PDF/Tencent Docs reports and output files but does not clearly warn users that local files may be created or modified. Even if the behavior is expected, missing disclosure can lead to unanticipated writes, overwriting files, or leaving sensitive business analysis artifacts on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The extraction examples show reading PDFs and writing JSON outputs for financial documents without an explicit warning that source documents and extracted structured data may be stored locally. Because the skill targets prospectuses and enterprise financial materials, this omission increases the chance of sensitive data exposure through residual files, logs, or unintended persistence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.