Security audit

daily-investment-digest

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: fetches public financing-event data, formats a report, and does not show hidden persistence, credential access, or destructive behavior.

Install this if you are comfortable with the agent making bounded requests to the disclosed iYiou financing-event API when asked for investment digests. Be aware that implicit invocation is enabled, so review when your agent chooses the skill automatically for finance-report tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest enables implicit invocation with no documented trigger constraints, so the skill may be auto-selected in situations the user did not clearly request. Because this skill performs external data retrieval and shapes the final answer format, unintended activation can cause surprise network access, unnecessary data processing, and output manipulation without explicit user consent.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal