Back to skill

Security audit

Query real-time and historical financial data across equities and crypto prices

Security checks across malware telemetry and agentic risk

Overview

MarketPulse is a straightforward market-data API client that uses an AISA API key to fetch stock and crypto information from AIsa.

Install only if you are comfortable using an AISA API key and sending requested tickers, screening filters, and market-research parameters to AIsa. Use a dedicated key where possible, watch any pay-as-you-go credit usage, and avoid including confidential portfolio details or trading strategy information unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires environment access to read AISA_API_KEY and network access to send authenticated requests to api.aisa.one, but it does not declare corresponding permissions. This can mislead users and security tooling about the skill's actual capabilities, reducing informed consent and weakening policy enforcement around secret use and outbound communications.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation instructs users to make authenticated third-party API calls but does not clearly disclose that user prompts, query parameters, and authorization-bearing requests are transmitted to an external service. While expected for a market-data skill, the missing transparency can cause inadvertent disclosure of sensitive portfolio, research, or trading-interest information.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.