Market Sentiment Pulse

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe to install, but its market sentiment claims are much stronger than its simple keyword analyzer supports.

Install only as a lightweight sentiment helper. Do not treat its output as live market intelligence or financial advice unless your agent independently fetches current sources, cites them, and clearly separates real evidence from keyword-based or simulated analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill promises to aggregate real news and social data for a ticker, but the provided content contains no mechanism to fetch, validate, or analyze external sources. In a trading context, this can mislead users into acting on fabricated or inferred 'market sentiment' presented as if it were evidence-based, creating a high risk of harmful financial decisions.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation guidance is overly broad ('when starting a trade analysis session or reviewing a portfolio'), which can cause the skill to run in contexts where users may assume it has reliable, current market coverage. Because the skill description overstates its capabilities, ambiguous triggering increases the chance it is invoked as a decision-support tool without appropriate validation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal