Back to skill

Security audit

Stock Monitor Skill 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed market-alert monitor that polls public financial data and can run in the background, with privacy and investment-advice caveats but no evidence of hidden theft or destructive behavior.

Install only if you want a continuously running market monitor. Review the hardcoded watchlist and cost values before use, expect third-party financial-data providers to receive queried symbols or names, stop the daemon when finished, and treat the generated suggestions as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents network-dependent behavior such as market monitoring, news analysis, and gold/stock data retrieval, but no corresponding permissions are declared. Undeclared network capability weakens user consent and platform enforcement because the skill can access external data sources without transparent permission scoping.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose focuses on technical stock alerts, but the analyzed behavior expands into news scraping, sentiment analysis, capital-flow queries, leaderboard data, macro correlation analysis, investment recommendations, daemonized background execution, and gold market monitoring. This mismatch is dangerous because users and reviewers may grant trust for a narrow alerting tool while the skill performs broader data collection, continuous monitoring, and advisory functions that materially change its risk profile.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.