HFT Paper Trader Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only crypto paper-trading skill with disclosed local logging and no evidence of credential use, real-money trading, hidden code, or destructive behavior.

Install only if you want a paper-trading assistant that may create or update local trading state and lesson files. Keep it sandboxed from real exchange credentials unless you separately audit any implementation you add, and verify the version/slug mismatch before relying on provenance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The usage triggers are very broad (e.g. 'scan the watchlist and trade all signals') and do not clearly constrain when or how the skill should activate. In an autonomous-agent context, this can cause unintended invocation and autonomous trading behavior, especially because the skill also performs persistent writes and portfolio actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes logging and portfolio management behavior, but it does not explicitly warn users that it writes persistent data to local files like portfolio.json, journal.json, and observations.md. This can lead to silent state changes, data retention, and unintended disclosure of trading history or agent-generated observations in shared or sensitive environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal