financial-market-data

Security checks across malware telemetry and agentic risk

Overview

This financial market data skill is mostly purpose-aligned, but it ships with and uses a concrete third-party API key, which needs review before installation.

Install only if you are comfortable with live market-data queries going to external providers. Before use, remove or rotate the bundled Eastmoney key and configure your own key locally, preferably through an environment variable or secret manager.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill extensively demonstrates calls to third-party APIs and market-data providers without clearly warning users that running the examples will transmit queries, stock symbols, IP metadata, and possibly authentication tokens to external services. In an agent or automated environment, this can cause unintended data disclosure, policy violations, or unreviewed outbound network activity, especially where users assume examples are local-only.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal