A Stock Report

Security checks across malware telemetry and agentic risk

Overview

This stock-report skill mostly matches its stated purpose, but it unnecessarily asks the agent to inspect webhook secrets and broadly exposes local environment credentials during automated outbound reporting.

Install only if you are comfortable with scheduled stock reports being sent to a configured WeCom webhook. Before using it, remove the cron instruction that tells the agent to read /workspace/.env, keep the webhook key scoped to this bot only, avoid putting unrelated secrets in the loaded .env file, and consider restricting child processes to the minimum required environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 2. 指数 PE（问财，同花顺实时数据，同时查沪深300和中证全指） try: r_wc = subprocess.run( ["python3", SECTOR_CLI, "--query", "沪深300PE,中证全指PE"], capture_output=True, text=True, timeout=20, env=IENV) if r_wc.returncode == 0:
Confidence: 79% confidence
Finding: r_wc = subprocess.run( ["python3", SECTOR_CLI, "--query", "沪深300PE,中证全指PE"], capture_output=True, text=True, timeout=20, env=IENV)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 3. 沪深300 分位点（问财直查，无需自算） try: r_pct = subprocess.run( ["python3", SECTOR_CLI, "--query", "沪深300市盈率分位数"], capture_output=True, text=True, timeout=20, env=IENV) if r_pct.returncode == 0:
Confidence: 79% confidence
Finding: r_pct = subprocess.run( ["python3", SECTOR_CLI, "--query", "沪深300市盈率分位数"], capture_output=True, text=True, timeout=20, env=IENV)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The intraday-alert cron instructions tell the agent to read the full script and inspect `/workspace/.env` for the webhook key, even though the task only needs the script to run with the environment already injected. Expanding the agent's duty from execution to secret inspection increases credential-exposure risk and violates least-privilege principles.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script automatically loads a repository-level .env file and imports its contents into process environment without scoping or explicit disclosure. In an agent-skill context, this expands the skill's access to secrets unrelated to stock reporting and increases the chance of credential exposure or misuse by downstream code.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script automatically reads a local .env file and imports its contents into process environment without explicit user awareness. That broad secret-loading behavior increases exposure of credentials to all code running in-process and to child processes spawned later, expanding the blast radius if any dependency or subprocess is compromised.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Hard-coding and invoking another skill’s CLI gives this reporting script the ability to execute external code outside its own trust scope. In this context, that broadens the attack surface and allows compromise of the external skill to affect report contents and any secrets inherited by the child process.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Silently loading credentials from .env without user-facing disclosure is risky in an automation environment because it grants the script access to secrets beyond its obvious reporting function. Combined with network egress and external tool calls, this raises the chance of unintended credential use or leakage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads a webhook credential and immediately uses it to transmit generated content to an external endpoint without any confirmation or disclosure. In agent environments, undisclosed outbound messaging can leak proprietary data, generated analysis, or other embedded context to third-party services.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: Secrets are loaded from ../.env silently and without user-facing disclosure, which reduces transparency around credential handling. In a skill context, hidden secret ingestion is more sensitive because users may not expect local credentials to be pulled into runtime and made available to dependencies and subprocesses.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The webhook credential is retrieved from environment and used for outbound transmission without explicit disclosure in the script’s interface. While sending the report is part of the intended workflow, undisclosed secret use and network egress can be abused to send data to external services if configuration is tampered with.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This script automatically loads a webhook credential from a local .env file and transmits the full generated report to an external WeCom webhook endpoint. In an agent skill context, this creates a real exfiltration channel for potentially sensitive generated content or upstream data without any consent gate, content classification, or scope restriction.

Ssd 3

High

Confidence: 98% confidence
Finding: The cron prompt explicitly instructs the agent to read `/workspace/.env` and inspect a webhook secret in plain language. That is dangerous because it normalizes direct secret handling by the model, increasing the risk of accidental disclosure in logs, prompts, downstream tool calls, or future prompt injection chains.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal