Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Modular Market Brief
Security checks across malware telemetry and agentic risk
Overview
This skill appears to generate market briefs using public financial data sources, with no supported evidence of hidden persistence, credential use, destructive actions, or data exfiltration.
Install only if you are comfortable with the skill querying third-party financial data services for the ticker symbols you provide. It does not appear to need credentials or privileged system access, but adding explicit permissions and network-use disclosure would improve transparency.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Rogue AgentSelf-Modification, Session Persistence
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)
Missing User Warnings
Low
- Confidence
- 84% confidence
- Finding
- The script performs an external network call via yfinance to fetch market data for each ticker. While the file docstring mentions that it is yfinance-based, there is no runtime notice, confirmation, or explicit warning that invoking the script will contact a third-party service and transmit requested ticker symbols.
Session Persistence
Medium
- Category
- Rogue Agent
- Content
# Modular Market Brief Create a concise but information-dense market report that is **modular** (can include/exclude sections) and **data-backed** (prices/returns/trend state when possible). ## Inputs to ask for (or assume defaults) - **Time window:** AM (since prior close) vs PM (what changed since AM)
- Confidence
- 60% confidence
- Finding
- Create a concise but information-dense market report that is **modular** (can include/exclude sections) and **data-backed** (prices/returns/trend state when possible). ## Inputs to ask for (or assume
VirusTotal
66/66 vendors flagged this skill as clean.