Back to skill

Security audit

my_stock_report_skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stock-report automation that runs a local analysis tool and archives the generated reports to a specified DingTalk workspace.

Install only if you intend generated stock reports, summaries, conclusions, and document links to be written to the configured DingTalk workspace and report table. Before first use, verify the workspace ID, parent node, companion DingTalk skills, and account belong to your organization and are appropriate for the sensitivity of the reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic upload of generated report contents to DingTalk documents and a DingTalk table, but the skill description and workflow do not require clear user consent or a warning that locally generated analysis will be transmitted to external services. This creates a real data-handling and privacy risk because report contents, conclusions, and metadata may be sent off-platform without an explicit opt-in at execution time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.