Back to skill

Security audit

StockMasterHunter

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent stock-analysis assistant, but it asks agents to use local API credentials and modify its own knowledge/version files without a clear consent or review boundary.

Install only if you are comfortable with an agent that may access IMA credentials, call external financial/knowledge-base APIs, and persist or modify local skill knowledge files. Prefer using scoped managed secrets, require confirmation before any sync or write operation, and review diffs before accepting knowledge-base or version changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read API credentials from local files under ~/.config/ima or from environment variables. That exceeds the stated stock-analysis purpose and creates a path for secret access and exfiltration if the model is ever induced to reveal, transmit, or misuse those values. In a skill file, telling the agent where to find secrets is sensitive because the skill content itself is untrusted and may later be combined with network actions.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The adaptive learning workflow authorizes the skill to update reference files and bump its own version metadata. That is self-modifying behavior unrelated to answering stock-analysis queries, and it can be abused to persist prompt injections, tamper with future behavior, or hide unauthorized changes behind a 'knowledge sync' operation. Persistence makes the risk materially worse because a single bad trigger can alter later sessions.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The skill claims to provide analysis and integration, but the documented sync workflow also updates cached knowledge and reference files locally. This expands the skill from stateless analysis into persistent repository modification without clear justification in the manifest, increasing the chance of stealthy behavior changes and unauthorized data retention. Hidden persistence is especially dangerous in agent skills because users may not expect file writes at all.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The backtesting command is presented as analytical reporting, but it also stores results as learning cases for future pattern recognition. That introduces persistence and potentially accumulates user-provided or derived data beyond the user's immediate request, which is broader than the declared role. While less severe than direct secret access, it still creates privacy, integrity, and prompt-persistence risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger for knowledge-base sync includes broad language such as acting after significant market cycle changes, which can overlap with ordinary conversation and cause unintended activation of privileged behavior. Over-broad triggers are dangerous in agent skills because they let normal user prompts invoke network access or state-changing operations without clear intent. Here, that risk compounds with the skill's file-writing workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow describes modifying reference files and version metadata without an explicit warning or consent flow for file changes. Silent state changes reduce user visibility and make it easier for malicious or accidental prompt content to persist in the repository. In the context of an LLM skill, undisclosed writes undermine trust boundaries and frustrate auditability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.