Vague Triggers
High
- Confidence
- 91% confidence
- Finding
- 技能触发词包含“帮我查一下”“请问”“分析一下”“总结一下”等高度泛化的日常短语,容易在普通对话中被误选中。对一个具备外部网络访问和金融建议能力的技能来说,误触发会导致无意间向外部服务发送用户输入,带来隐私泄露、错误路由和不当金融输出风险。
Mx Financial Assistant
Security checks across malware telemetry and agentic risk
Overview
This finance assistant appears coherent, but it needs review because broad trigger wording and third-party query forwarding could expose sensitive financial questions unexpectedly.
Review before installing. Use it only for clearly financial questions you are comfortable sending to Eastmoney, and avoid including private portfolio details, client information, unpublished research, or trading plans unless you trust that provider and its data handling. Treat outputs as informational, not personalized investment advice.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)
Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- 文档宣称支持“选股”“推荐股票”“投资决策”等能力,却未提示投资有风险、结果可能不适合个体情况,也未说明并非个性化投顾建议。金融场景具有高上下文敏感性,用户可能将输出误认为可直接执行的专业建议,从而造成经济损失或合规风险。
Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The script transmits the user's financial question to a third-party Eastmoney API, but the code provides no user-facing disclosure, consent prompt, or data-handling notice before sending potentially sensitive investment queries off-box. In a financial assistant context, user prompts may include portfolio details, holdings, or trading intent, so undisclosed external transmission creates a real privacy and compliance risk even if the destination service is expected.
VirusTotal
60/60 vendors flagged this skill as clean.