Stock Research System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a financial-analysis skill with somewhat broad activation wording, but the supplied evidence does not show hidden access, persistence, destructive behavior, or data exfiltration.

Install if you want this skill to assist with financial analysis, but review when it activates because the trigger wording may be broad. Treat outputs as analysis drafts, not regulated financial, legal, or investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad and overlap with ordinary financial-analysis requests, which can cause the skill to activate in contexts the user did not intend. Overbroad activation increases the chance of unsolicited tool use, unnecessary external data access, and scope confusion, especially in agentic environments where trigger matching may launch complex workflows automatically.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The repeated trigger section reinforces vague activation terms without specificity, making accidental or excessive invocation more likely. In a tool-enabled agent system, ambiguous triggers can cause the skill to capture generic finance conversations and perform actions beyond the user’s intent, which is a real control-boundary problem.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal