CN Stock Analysis Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a prompt-only Chinese A-share stock report generator that uses public market data and does not request private data, credentials, code execution, or background access.

Install this if you want an agent to fetch public A-share market information and generate Chinese research reports. For bare six-digit numbers or ambiguous stock names, ask the agent to confirm before running the skill, and independently verify all market data and conclusions before making investment decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README states that entering a stock code will trigger analysis, and the metadata further says any mention of a 6-digit A-share code, stock name, or vague request like '看看这只票' should immediately invoke the skill. This is overly broad and can cause the agent to auto-trigger on incidental mentions, reducing user control and increasing the chance of unintended data fetching, report generation, or workflow hijacking when other tasks merely reference a stock.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill is explicitly defined as generating Chinese A-share reports in Chinese without indicating any user choice or fallback behavior. While not directly dangerous like code execution, this can override user preferences, cause misleading outputs in multilingual contexts, and make the agent less predictable by imposing behavior unrelated to explicit user instructions.

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill is configured to trigger on extremely broad cues such as any 6-digit A-share code, stock name, or generic requests like '看看这只票', which can cause the agent to invoke this skill for many ordinary finance-related conversations without clear user consent. Over-broad activation increases the chance of unintended tool use, unnecessary external data access, and misrouting user requests into a report-generation workflow that may not match the user's actual intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal