SEC_Market MCP (AI Agent + Company US)

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed remote SEC research and commerce MCP wrapper, but it needs Review because it exposes purchases, donations, deliveries, and ad campaign creation without clear user-confirmation or spending controls.

Install only if you trust the remote provider and can keep write/payment-capable tools behind explicit approval. Use read-only SEC research tools by default, and require confirmation, spending limits, and review of prices, recipients, delivery details, and ad campaign parameters before enabling purchases, donations, deliveries, or campaign creation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly advertises transactional capabilities including purchase, donation, payment verification, and delivery, but provides no warning that these actions may spend money, trigger fulfillment, or otherwise affect user accounts and external systems. In an agent-discovery context, this increases the risk that an agent may invoke high-impact tools without clear user confirmation or safety gating.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal