Mx Stocks Screener

Security checks across malware telemetry and agentic risk

Overview

This finance-data skill uses an API key and external market-data service as expected for its stated purpose, with no evidence of hidden, destructive, or account-mutating behavior.

Install only if you trust the Eastmoney/MX financial data service and can rotate EM_API_KEY. Use a virtual environment for the Python dependencies, keep the API key out of prompts/logs/repos, and review generated xlsx/txt files before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill requires an environment secret, performs network access to a third-party API, and writes files, but the manifest does not explicitly declare permissions beyond an install stanza. This creates a transparency and governance gap: users or hosting platforms may invoke the skill without understanding that it can transmit user queries and API-backed results externally and persist outputs locally.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The description says the skill works from broad natural-language queries across many asset classes without clearly defining invocation boundaries. In agent settings, this can cause over-triggering or accidental routing of unrelated prompts, which may send unintended financial queries or sensitive context to the external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal