US Stock Analyst by leading AI LLM models with Bloomberg Data, Twitter Sentiment and Wall Street Equity Research Reports

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-analysis skill that openly uses AIsa APIs and local report files, with privacy considerations users should understand before use.

Install only if you are comfortable sending stock symbols, watchlists, research queries, prompts, and your AIsa bearer token to AIsa services and possibly downstream model providers. Do not include confidential account details or proprietary trading strategy in prompts, protect and rotate the API key, and review saved JSON reports because they may contain raw news, social, and analysis data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (26)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill metadata declares required binaries and an API key, and the documentation shows network access plus report output to files, but no explicit permission declaration is present. This creates a transparency and policy-enforcement gap: users may invoke a skill that can exfiltrate data to external services or write files without those capabilities being clearly declared and consented to.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The portfolio-monitoring examples encourage sending a user's holdings or watchlist to a third-party API, but the README does not place an explicit warning near those examples that portfolio data will leave the local environment. Portfolio composition can be sensitive financial information, so silent transmission increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages users to submit stock symbols, portfolio/watchlist contents, and natural-language research queries to AIsa-hosted endpoints and an LLM gateway, but it does not clearly warn that this information will be transmitted to external services and potentially onward to third-party model providers. This creates a real privacy and data-handling risk because users may disclose sensitive holdings or trading interests without informed consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill forwards aggregated stock, news, web, and social-content data to external LLM endpoints for analysis without any explicit notice, minimization, or consent flow. While this may be expected operationally, it creates a privacy and data-governance risk because retrieved third-party content and potentially sensitive user-request context are transmitted to another service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code writes a full report containing raw fetched data, including news, analyst estimates, social content, and search results, to local disk automatically in the example flow. This persistence can expose sensitive or proprietary data to other local users, backups, or later unintended access, especially because the save occurs without explicit confirmation or redaction.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends user-supplied ticker symbols and aggregated market, news, and social-media content to external AIsa APIs and an LLM service without explicit disclosure at the point of use. In a skill context, hidden third-party transmission matters because users may not expect their inputs and retrieved content to be forwarded across multiple services for analysis.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The code embeds untrusted news and web-search text directly into LLM prompts and then returns the model output in the final report. This creates a prompt-injection and data-leakage path where hostile or sensitive source content can manipulate the model's reasoning, cause unintended instructions to be followed, or be echoed back to users in synthesized output.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Passing raw tweet text and headlines into the sentiment-analysis prompt gives external content a direct natural-language channel into the model, and the requested summary may repeat or transform any embedded sensitive or malicious content. In this skill, social content is particularly untrusted and easy for attackers to manipulate, which raises the prompt-injection and data-exposure risk.

External Transmission

Medium

Category: Data Exfiltration
Content: **Real-time Financial Metrics** ```bash curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 84% confidence
Finding: curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ``` Returns: Market cap, P/E ratio, revenue, EPS, profit margin, ROE,

External Transmission

Medium

Category: Data Exfiltration
Content: **Real-time Financial Metrics** ```bash curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 84% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **LLM Gateway (OpenAI Compatible)** ```bash curl -X POST "https://api.aisa.one/v1/chat/completions" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Real-time Financial Metrics** ```bash curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ``` Returns: Market cap, P/E ratio, revenue, EPS, profit margin, ROE,

External Transmission

Medium

Category: Data Exfiltration
Content: **Real-time Financial Metrics** ```bash curl "https://api.aisa.one/apis/v1/financial/financial-metrics/snapshot?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Historical Stock Prices** ```bash # Daily prices for last 30 days curl "https://api.aisa.one/apis/v1/financial/prices?ticker=AAPL&start_date=2025-01-01&end_date=2025-01-31&interval=day&interval_multiplier=1" \ -H "Authorization: Bearer $AISA_API_KEY" # 5-minute intraday data
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: -H "Authorization: Bearer $AISA_API_KEY" # 5-minute intraday data curl "https://api.aisa.one/apis/v1/financial/prices?ticker=AAPL&start_date=2025-02-07&end_date=2025-02-07&interval=minute&interval_multiplier=5" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Financial Statements** ```bash # All statements (income, balance, cash flow) curl "https://api.aisa.one/apis/v1/financial/financial_statements/all?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Analyst Estimates** ```bash # EPS forecasts and ratings curl "https://api.aisa.one/apis/v1/financial/analyst/eps?ticker=AAPL&period=annual" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Insider Trading** ```bash # Track insider buy/sell activity curl "https://api.aisa.one/apis/v1/financial/insider/trades?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 91% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Institutional Ownership** ```bash # See who owns the stock curl "https://api.aisa.one/apis/v1/financial/institutional/ownership?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **SEC Filings** ```bash # Access 10-K, 10-Q, 8-K filings curl "https://api.aisa.one/apis/v1/financial/sec/filings?ticker=AAPL" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 90% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Company News** ```bash curl "https://api.aisa.one/apis/v1/financial/news?ticker=AAPL&limit=10" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 91% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Web Search (News & Articles)** ```bash curl -X POST "https://api.aisa.one/apis/v1/scholar/search/web?query=AAPL+stock+analysis&max_num_results=10" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 94% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Academic Research** ```bash curl -X POST "https://api.aisa.one/apis/v1/scholar/search/scholar?query=semiconductor+industry+analysis&max_num_results=5" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 93% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **Twitter Search** ```bash curl "https://api.aisa.one/apis/v1/twitter/tweet/advanced_search?query=\$AAPL&queryType=Latest" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 92% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: **YouTube Search (Earnings Calls, Analysis)** ```bash curl "https://api.aisa.one/apis/v1/youtube/search?engine=youtube&q=AAPL+earnings+call&gl=us&hl=en" \ -H "Authorization: Bearer $AISA_API_KEY" ```
Confidence: 91% confidence
Finding: https://api.aisa.one/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal