AI Stock Research Team

Security checks across malware telemetry and agentic risk

Overview

This is a coherent stock-analysis skill that installs a local market-data MCP server, with some install-time and privacy considerations but no artifact-backed malicious behavior.

Install only if you are comfortable running a local setup script that installs Python packages and registers a persistent MCP server in your AI client. Review setup.sh first on managed or sensitive machines, avoid running publish.sh unless you intentionally want to publish a repository, and treat generated trading recommendations as research support rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation directs users to run a setup script that creates a virtual environment, installs packages, and registers an MCP server, yet the metadata does not clearly declare the corresponding sensitive capabilities. This weakens user consent and reviewability because installation and local configuration changes can occur under the guise of a stock-analysis skill.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose is stock research, but the analyzed behavior includes setup, local configuration edits, uninstall cleanup, and even GitHub publication workflows. This mismatch is dangerous because users and reviewers may authorize the skill for financial analysis without realizing it can modify their environment or perform unrelated repository operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script performs authenticated GitHub operations, creates a public repository, stages all local files, commits them, and pushes them to a remote. In the context of a stock-analysis skill, this is unrelated deployment behavior that can unintentionally expose local code, secrets, configuration, or proprietary data if a user runs it without careful review.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer writes directly to host AI-client configuration files (`~/.openclaw/openclaw.json` and `~/.workbuddy/mcp.json`) to register an MCP server. While this appears intended to simplify installation, it changes user/client behavior outside the core stock-analysis logic and can silently persist new agent capabilities on the host, which is risky if users do not explicitly consent or review the exact changes.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The uninstall script uses MCP_NAME="stock-analyzer" while the skill itself is named "stock-research-team", so it may remove or fail to remove the wrong MCP server entry. This is dangerous because uninstall actions modify user configuration files and a naming mismatch can cause unintended deletion of another integration or leave the installed component partially active, creating confusion and persistence.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README advertises real-time market data via akshare and yfinance but does not clearly disclose that user-requested stock symbols and related queries may be transmitted to external services. This is a genuine transparency/privacy issue: users may assume analysis is local, while the skill actually depends on third-party data providers, creating unannounced metadata exposure and possible compliance concerns in enterprise environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the user to execute a shell script that creates a virtual environment, installs dependencies, registers an MCP server, and restarts the gateway, but it does not prominently disclose the security implications or the exact system changes. Encouraging blind execution of a bundled shell script is risky because such scripts can modify local configuration, install arbitrary packages, and persist services.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script modifies user MCP configuration files without a clear pre-write warning or interactive confirmation. This is dangerous because installer-time persistence into AI client configs can add new executable integrations that the user may not realize were registered, increasing the chance of unintended tool execution later.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal