Back to skill

Security audit

Financial Data

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward financial-data skill that uses an AISA API key to query a single market-data API endpoint.

Install only if you trust AIsa with your market-data queries and API key usage. Prefer a dedicated or limited AISA_API_KEY, monitor quota or cost usage, and avoid sending sensitive proprietary portfolio or strategy filters if that disclosure would matter to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill metadata declares required binaries and environment variables, and the examples clearly use outbound network access and an API key, but there is no explicit permissions declaration to inform the host or user of those capabilities. This weakens transparency and policy enforcement around secret access and external communication, increasing the chance that users authorize the skill without understanding it will transmit authenticated requests to a third-party service.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill repeatedly instructs use of authenticated requests to a third-party API with a bearer token but does not prominently warn users that their prompts, selected tickers, and authorization credentials will be sent off-platform. In this context the behavior appears expected for a market-data skill, but the missing disclosure creates a consent and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.