Back to skill

Security audit

Trading Journal

Security checks across malware telemetry and agentic risk

Overview

This is a local trading journal skill that stores user-entered trade details for reports, with privacy considerations but no hidden code or remote access.

Install only if you are comfortable keeping trade history, PnL, strategy notes, and emotion labels in a local file. Keep that journal private, be careful with synced or shared workspaces, and manually approve any suggested strategy or trading-system changes before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description uses broad invocation language like 'Use when recording a new trade, reviewing performance, running a weekly debrief, or updating the trading strategy,' which can cause the agent to trigger in loosely related contexts without clear guardrails. In a finance-oriented skill that writes persistent records and influences strategy updates, ambiguous activation increases the chance of unintended logging, cross-skill chaining, or accidental use on sensitive portfolio discussions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persistently stores detailed trading data in a local file but does not warn the user that sensitive financial activity, strategy rationale, emotional state, and performance history will be retained on disk. Even though the path is local, this creates privacy and operational risk if the workspace is shared, backed up, synced, or later consumed by other skills and tools in the trading pipeline.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.