Institutional Tracker Ai

Security checks across malware telemetry and agentic risk

Overview

This financial-analysis skill is mostly coherent, but it under-discloses credential handling and local cross-skill script execution that users should review before installing.

Install only if you are comfortable with a local financial tool that stores a Tushare/proxy token in a Python config file, calls third-party market/news data sources, and may execute another local Xiaohongshu search script if it exists. Treat its stock signals as research only, review or disable the external-script paths first, and avoid committing config.py or reports containing credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def query(self, query_text: str, data_type: str = "api") -> dict: try: result = subprocess.run( ["python3", str(NEODATA_SCRIPT), "--query", query_text, "--data-type", data_type], capture_output=True, text=True, timeout=30 )
Confidence: 88% confidence
Finding: result = subprocess.run( ["python3", str(NEODATA_SCRIPT), "--query", query_text, "--data-type", data_type], capture_output=True, text=True, timeout=30

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if os.path.exists(mcp_script): try: result = subprocess.run( [mcp_script, "A股买入"], capture_output=True, text=True, timeout=15 )
Confidence: 90% confidence
Finding: result = subprocess.run( [mcp_script, "A股买入"], capture_output=True, text=True, timeout=15 )

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file header claims the backtest universe was expanded from 10 to 30 stocks and covers all industries, but the actual BACKTEST_STOCKS list contains only 10 names. In an investment-analysis skill, this is dangerous because it can materially mislead users about sample breadth, robustness, and generalizability of reported performance, causing overtrust in the model's claimed statistical significance.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The comment says the trailing-stop simulation uses an 8% stop, while the actual TRAILING_STOP_PCT is 15%. In a trading/backtesting skill, this mismatch can mislead operators reviewing risk controls and backtest assumptions, resulting in incorrect interpretation of drawdown tolerance and expected strategy behavior.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The skill metadata emphasizes Tushare-based structured data and sentiment aggregation, but this file also delegates to an external NeoData search script. That mismatch matters because hidden or undocumented data paths reduce transparency and can conceal additional network access, data exfiltration, or unreviewed processing outside the expected skill boundary.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: Executing an external script is a materially stronger capability than fetching market data from an API because it enables arbitrary code execution through whatever the script does. In a financial-analysis skill, this broader capability increases supply-chain and post-deployment tampering risk, especially if configuration or package contents can be modified.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: A sentiment aggregation component unexpectedly invokes an external MCP/shell script, which is a capability escalation relative to its declared role of collecting and scoring data. This kind of hidden execution path is dangerous because operators may treat the module as passive analytics while it actually runs local code from another skill directory.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Instructing users to place an API token in a local config file without strong credential-handling guidance increases the likelihood of accidental exposure through source control, logs, backups, or report generation. In a skill that also uses file operations and shell execution, plaintext secret storage becomes more dangerous because other workflow steps could inadvertently read, copy, or publish the token.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to hardcode a Tushare token and proxy API URL directly into config.py, but provides no warning that these are credentials or that storing them in source files risks accidental disclosure through version control, logs, backups, or shared reports. In this skill's context, the risk is heightened because it explicitly encourages use of third-party 'proxy' tokens purchased from informal marketplaces, which increases the chance of account abuse, malicious endpoints, and credential theft.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The file invokes an external script without any local disclosure, consent flow, or warning about the expanded execution and data-sharing behavior. Lack of transparency is security-relevant here because users and reviewers may reasonably assume only direct Tushare API access, while the code actually triggers additional executable logic and possibly other external interactions.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The code runs an external script silently, with no user-facing disclosure that local code outside this module may execute. In an agent skill context, hidden execution is more dangerous because users may believe they are only requesting data aggregation, not authorizing cross-skill script execution and whatever network or file access that script performs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal