Security audit

stock-manage-skill

Security checks across malware telemetry and agentic risk

Overview

This stock-tracking skill mostly matches its purpose, but its log deletion feature is too broadly scoped and can delete files outside the intended log folder.

Review before installing. Use only if you are comfortable storing stock orders, rules, quantities, platforms, quote snapshots, logs, and backups as local plaintext files and sending stock codes to third-party quote providers. Avoid or restrict the log delete-by-file command until it validates that the target stays inside the log directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documents capabilities for local file read/write and outbound network access, but the metadata does not declare permissions. This creates a trust and review gap: users or orchestration systems may authorize the skill based on incomplete capability disclosure, while the skill can still modify local data and contact third-party services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior exceeds the declared purpose by including log deletion/cleanup, backup management, and external network access to third-party market data providers. This mismatch can mislead users and security controls about what the skill actually does, increasing the risk of unintended data deletion or unexpected data transmission.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The documentation says the system has 'no network dependency' while elsewhere stating that stock information retrieval requires network connectivity and uses public APIs. Contradictory security-relevant documentation can cause operators to deploy the skill in environments where outbound traffic is not expected or approved.

Description-Behavior Mismatch

Low

Confidence: 89% confidence
Finding: The skill automatically deletes logs older than 7 days on every invocation without disclosing that behavior in the manifest. Undisclosed destructive behavior reduces auditability and can erase forensic evidence or operational history that users reasonably expect to retain.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill exposes delete operations for orders without documenting confirmation, safeguards, or recovery expectations. In an agent-driven context, ambiguous or overly direct destructive commands increase the chance of accidental or unauthorized data loss, especially when local files are the system of record.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Automatic cleanup and deletion of local data are described without prominent user-facing warnings or retention controls. In a local-file storage skill, silent cleanup can remove backups or historical records users expected to keep, leading to integrity and availability issues.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill documents network-based stock retrieval but does not warn that user-supplied stock codes and request metadata will be sent to third-party services. Even if the transmitted data seems low sensitivity, undisclosed outbound communication is a privacy and compliance concern, especially in enterprise environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The clear_all_logs function irreversibly deletes every file in the configured log directory with no confirmation, dry-run mode, role check, or safeguard. If exposed through the agent or called unintentionally, it can destroy audit trails and operational records that may be needed for incident response, compliance, and troubleshooting.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The delete_old_logs function permanently removes files older than a caller-supplied threshold without warning, confirmation, retention policy validation, or archival. In a stock-related system, deleting logs can weaken accountability and impair reconstruction of trading actions or operational events.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Automatic log deletion on every run occurs without an explicit runtime warning or consent. In a tool that manages financial orders and rules, logs may be important for troubleshooting, accountability, and incident investigation, so silent deletion can materially hinder recovery and auditing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal