Wyckoff Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis skill is coherent, but it needs Review because it encourages risky installation, credential handling, and broad CLI/MCP actions around portfolio and API data.

Review before installing. Prefer the pip install path and inspect any remote installer before running it. Do not paste passwords or API keys into shared terminals; use interactive entry or revocable keys where possible. Protect ~/.wyckoff/wyckoff.json, enable MCP only for clients you trust, and require explicit confirmation before portfolio changes, sync, cleanup, updates, or MCP registration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs users to run `wyckoff auth login <email> <password>` directly on the command line, which can expose credentials via shell history, process listings, terminal logs, and telemetry. The added statement that credentials are persisted increases risk because it normalizes insecure secret handling without explaining safer alternatives.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill recommends `curl ... | bash`, which executes remote code immediately without verification, pinning, checksum validation, or user review. If the upstream repository, network path, or script content is compromised, users may run arbitrary code on their system.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The default_prompt is extremely broad and authorizes the agent to detect environment state, guide installation and configuration, perform data-source/model setup, ingest multiple input types, and execute trading-related CLI actions. This can cause unintended activation of high-impact behaviors when a user only intended a narrower task, especially because the prompt mixes onboarding, system configuration, and operational trading actions in one invocation path.

Natural-Language Policy Violations

Low

Confidence: 77% confidence
Finding: The skill description/default prompt forces a Chinese-language/China-market context, including Beijing time and A-share workflow assumptions, without indicating user opt-in or locale negotiation. While not directly enabling code execution, it can cause misleading outputs, misaligned market-time decisions, and poor user experience for users outside that locale or expecting another language.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to perform online lookups for holiday calendars and event validation without requiring clear user-facing disclosure or consent before contacting external services. In a finance context, these requests can reveal the user's market interests, holdings, or analysis targets to third parties, creating avoidable privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide recommends piping a remotely fetched script directly into bash, which executes unreviewed code with the user's privileges and provides no opportunity to inspect integrity or content first. In an agent setup guide, this is especially risky because users are encouraged to follow the steps verbatim during onboarding, increasing the chance of arbitrary code execution if the source, transport, or repository is compromised.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Passing email and password as CLI arguments can expose credentials through shell history, terminal logging, audit systems, and process listings visible to other local users. Because this is a login command in a setup guide, the documentation actively normalizes unsafe secret handling and can lead to credential theft on shared or monitored systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide states that credentials are automatically stored in ~/.wyckoff/wyckoff.json and reused, but gives no warning about local secret storage, file permissions, encryption, or token scope. This can expose long-lived credentials or refresh material to other local users, backups, malware, or accidental disclosure, particularly on developer workstations and shared environments.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The non-interactive model setup command places API keys directly on the command line, which can leak through shell history, process listings, telemetry, CI logs, and screenshots. Since the skill is designed for CLI/MCP workflows, this context makes the issue more dangerous because users may run these commands in persistent terminals, scripts, or shared development environments.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: This section authorizes direct execution of `wyckoff` CLI subcommands for broad operational intents without clear boundaries, confirmation gates, or command allowlisting. In an agent setting, broad intent routing to a local CLI can enable unintended command execution, state-changing actions, or misuse of locally installed tooling based on ambiguous user phrasing.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The playbook instructs the agent to run CLI commands directly and parse the output, but provides no requirement for a user-facing warning, confirmation step, or execution transparency. In a local-agent environment, silent command execution is dangerous because users may not realize the agent is invoking installed software that could modify configuration, portfolios, credentials, or local state.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill explicitly tells users to enter account credentials into a CLI command and notes they will be persisted, which encourages insecure secret entry and storage. This can leak credentials through shell history, process inspection, screen recording, logging systems, and unclear local storage protections.

External Script Fetching

Low

Category: Supply Chain
Content: ``` Or one-line install: ``` curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash ``` After install, verify with `wyckoff --version` again.
Confidence: 97% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ``` Or one-line install: ``` curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash ``` After install, verify with `wyckoff --version` again.
Confidence: 99% confidence
Finding: | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal