my_stock_log_skill

Security checks across malware telemetry and agentic risk

Overview

This is a narrow instruction-only skill for adding and querying stock-analysis notes in a specific DingTalk table, with the write behavior disclosed.

Install only if you intend to use the declared DingTalk Base ID and Sheet ID for stock-analysis logs. Before inserting real records, verify that the target table is yours or authorized, review the separate dingtalk-ai-table skill that performs the API writes, and consider asking the agent to confirm before each insert.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill performs persistent write operations to a DingTalk table but does not require an explicit user-facing confirmation or warning that data will be stored. This creates a risk of unintended record creation, especially because the skill is triggered by natural-language requests and acts as a dispatcher to a lower-level table-writing capability.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal