Financial News

Security checks across malware telemetry and agentic risk

Overview

This appears to be a non-destructive demo financial-news skill, but it does not actually fetch live news or send alerts despite advertising those features.

Install only if you understand this as a placeholder or demo. Do not rely on it for current financial news, investment alerts, or sentiment analysis, and do not provide a Tushare token unless a later reviewed version clearly implements live data access and explains what it sends, stores, and notifies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The skill advertises automatic monitoring and push notifications, and it requires an external API token, but it does not clearly disclose what data may be sent externally, how often monitoring runs, or how notifications are delivered. This can mislead users about ongoing background behavior and third-party data exposure, which is a meaningful transparency and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal