itick-stock-quote

Security checks across malware telemetry and agentic risk

Overview

This is a read-only stock quote helper, but its documentation exposes a concrete API token and needs review before installation.

Install only if you trust itick.org and are comfortable providing a dedicated ITICK_API_TOKEN for market-data queries. Do not copy the hard-coded token from the examples; the publisher should replace it with an environment-variable placeholder and rotate the exposed token if it was real.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation embeds a concrete API token in example commands even though earlier text says users should not manually provide or paste tokens. Hard-coded credentials in public skill docs can be copied, abused for unauthorized API usage, and may indicate the author exposed a real secret rather than using a placeholder.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The markdown examples expose a specific API token without any indication that it is fake or revoked. Publishing credentials in documentation creates a direct secret-leak scenario and can enable third parties to consume quota, access paid services, or impersonate legitimate requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal