Skill Trust Decision
stock-prediction
Skill executes undeclared shell commands via subprocess with hardcoded Administrator paths, posing significant risk of unintended system modification.
Most direct threat evidence
High Doc Mismatch
Undeclared shell command execution SKILL.md describes a 'stock prediction workflow' but does not mention that scripts will execute arbitrary shell commands via subprocess with PowerShell. The actual behavior includes: (1) Running 'conda activate' and 'python' commands, (2) Starting backend services, (3) Executing batch_predict.py scripts.
scripts/run_prediction.py:28 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared shell execution +15
SKILL.md does not mention subprocess/shell command execution, but scripts use subprocess.Popen and subprocess.run
Hardcoded victim paths +15
All paths hardcoded to C:\Users\Administrator\Desktop\kronos - indicates targeted deployment
Auto-startup/persistence mechanism +10
Self-healing feature auto-starts backend service without user consent
Hidden network behavior +5
Implicit network calls via health_check.py not declared in SKILL.md
Most important evidence
High Doc Mismatch
Undeclared shell command execution
SKILL.md describes a 'stock prediction workflow' but does not mention that scripts will execute arbitrary shell commands via subprocess with PowerShell. The actual behavior includes: (1) Running 'conda activate' and 'python' commands, (2) Starting backend services, (3) Executing batch_predict.py scripts.
scripts/run_prediction.py:28 Declare shell:WRITE permission and clearly document that the skill will execute Python scripts via subprocess/shell commands.
High privile_escalation
Hardcoded Administrator user paths indicate targeted attack
All file paths are hardcoded to C:\Users\Administrator\Desktop\kronos. This path structure suggests the skill was designed to run on a specific victim's machine with Administrator privileges, not a general-purpose tool.
scripts/health_check.py:14 This hardcoding is a major red flag. Legitimate skills use relative paths or user-provided paths, not hardcoded Administrator desktop paths.
Medium Persistence
Auto-startup service mechanism without user consent
The 'self-healing' feature automatically starts the backend service if health check fails. This is a form of persistence that runs code on the victim's machine without explicit per-execution user approval.
scripts/health_check.py:36 Require explicit user confirmation before starting services on their machine.
Medium Doc Mismatch
Hidden network behavior
SKILL.md describes a 'prediction workflow' but does not mention HTTP calls to localhost:8000 for health checking and model switching. This network activity is implicit in the workflow.
scripts/health_check.py:21 Document all network requests including target URLs and purposes.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/health_check.py:46 - subprocess.Popen starts service Network Block
Declared NONE
→ Inferred READ
scripts/health_check.py:21 - urllib GET to localhost:8000 Shell Block
Declared NONE
→ Inferred WRITE
scripts/run_prediction.py:28 - subprocess.run with powershell Environment Block
Declared NONE
→ Inferred READ
scripts/model_switch.py - uses conda environment activation Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
4 files · 335 lines
Python 3 files · 238 linesMarkdown 1 files · 97 lines
Files of concern · 2
scripts/run_prediction.py Undeclared shell command execution
scripts/health_check.py Hardcoded Administrator user paths indicate targeted attack · Auto-startup service mechanism without user consent · Hidden network behavior
Other files · SKILL.md · model_switch.py
Security positives
No evidence of credential harvesting (no access to ~/.ssh, ~/.aws, .env)
No base64 encoding or obfuscation detected
No external IP communications (only localhost)
No C2 infrastructure indicators
No supply chain risks (no external dependencies beyond standard library)