Security audit

stock-analysis-zh

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock and crypto analysis helper that sends user-requested ticker analysis to the AISA API using a user-provided API key.

Install only if you are comfortable sending requested ticker symbols and analysis prompts to AISA. Use a dedicated AISA_API_KEY, keep AISA_BASE_URL unset unless you intentionally trust that endpoint, and treat the output as informational market analysis rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger description is broad enough to activate on common investing-related queries, which can cause the skill to run more often than intended. Over-broad activation increases unnecessary exposure to the configured API key and external calls, even though the skill's stated function is otherwise aligned with its purpose.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The usage guidance does not provide sufficiently precise activation boundaries, so an agent may invoke the skill for loosely related financial prompts. This can lead to unnecessary external requests and overuse of privileged configuration without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal