Back to skill

Security audit

Stock Query

Security checks across malware telemetry and agentic risk

Overview

This stock quote skill is purpose-aligned and disclosed, but users should understand it can call finance websites and read or update a local portfolio CSV when asked.

Install only if you are comfortable with Bash-based quote lookups, outbound requests to the listed finance providers, and a local portfolio.csv storing non-secret holdings information. Treat fund estimates from the HTTP-backed source as informational and avoid using this CSV for passwords, API keys, brokerage credentials, or account numbers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill exposes a `pfile` subcommand that locates a user portfolio file under several home-directory paths, which goes beyond read-only market quote retrieval and reveals local filesystem structure plus the presence of personal financial data. Even though it does not read file contents directly, path discovery is a privacy-sensitive capability that can be chained with other tools or later steps to access the file.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code enumerates multiple candidate paths in the user's home directory to find `portfolio.csv`, disclosing existence and layout of local data stores unrelated to simple stock lookup. In an agent context, even metadata-only filesystem probing is risky because it expands the skill's access surface and can leak whether sensitive portfolio information exists.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fund estimate query uses plain HTTP (`http://fundgz.1234567.com.cn/js/${code}.js`), allowing network attackers or malicious proxies to tamper with or observe responses. Because the returned data drives displayed fund prices and estimates, users could receive silently manipulated financial information.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keyword "大盘" is broad enough to match general market or macroeconomic discussion, which can cause the skill to activate outside its intended scope. In a skill with shell and network permissions, unnecessary invocation increases the chance of unintended external requests or file-manipulation workflows being offered in response to ambiguous user input.

Session Persistence

Medium
Category
Rogue Agent
Content
未找到自选股文件。请执行以下步骤创建:

1. 创建配置目录并复制模板:
   mkdir -p ~/.config/stock-query
   cp <skill安装目录>/assets/portfolio.csv ~/.config/stock-query/portfolio.csv

2. 编辑文件,填入你的自选股信息。
Confidence
72% confidence
Finding
mkdir -p ~/.config/stock-query cp <skill安装目录>/assets/portfolio.csv ~/.config

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.