AI 财务报表分析

Security checks across malware telemetry and agentic risk

Overview

This financial-analysis skill is mostly coherent, but it directs sensitive financial data and payment confirmation through an unsecured HTTP gateway.

Review this skill carefully before installing or using it. Do not submit real financial statements, payment credentials, or confidential business data unless the publisher provides an HTTPS endpoint with clear ownership, authentication, and payment validation details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The documentation explicitly advertises a non-TLS HTTP gateway for payment flow, which exposes payment short links, credentials, and submitted financial data to interception and tampering. This creates both confidentiality risk and integrity risk, since an attacker on path could alter payment instructions or analysis responses.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation explicitly advertises a non-TLS HTTP gateway for payment flow, which exposes payment short links, credentials, and submitted financial data to interception and tampering. This creates both confidentiality risk and integrity risk, since an attacker on path could alter payment instructions or analysis responses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal