open-market-data

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent financial-data CLI helper, but users should treat its npm-installed tool and any configured API keys with normal credential care.

Install only if you trust the `open-market-data` npm package and linked project. Prefer environment variables for API keys, avoid sharing terminal output from `omd config show`, and use `--source` when you need to control which external provider receives a query.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly instructs users to store API keys via the CLI and then run `omd config show`, but it does not warn that this may display sensitive credentials in terminal output, logs, screenshots, or shared sessions. In a skill context, users often copy-paste commands verbatim, so documenting secret-handling workflows without masking guidance materially increases the risk of accidental credential disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal