Back to skill

Security audit

A-stock-report

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: automate A-share market reports and send them to WeCom, with some credential-handling and data-source caveats to review.

Install only if you intend this skill to fetch finance data on a schedule, write report files under the workspace, and send generated reports or alerts to your configured WeCom webhook. Keep /workspace/.env limited to the two documented keys, avoid placing unrelated secrets there, and consider removing the /root/.bashrc fallback if you operate in a stricter environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly documents and implements rotation of realistic browser User-Agent strings plus a Sina finance Referer to work around anti-scraping protections after observing 403 responses. That is an intentional evasion mechanism rather than ordinary API consumption, and in an automated reporting skill it creates legal, compliance, and service-abuse risk while normalizing deceptive outbound traffic behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Although the script is described as a data-collection tool, it also loads a webhook secret and includes message-delivery capability. This expands the trust boundary: a collector that can access credentials and transmit content externally can be repurposed for unauthorized notification or data exfiltration if modified or invoked unexpectedly.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The file comments state that pushing is handled elsewhere, yet this script still contains its own WeCom push implementation. This inconsistency is dangerous because reviewers or operators may underestimate the file's ability to transmit data externally, weakening oversight and increasing the chance of accidental or unauthorized outbound messaging.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script loads the webhook credential from multiple fallback files, including /root/.bashrc, and allows the file paths to be overridden by environment variables. For an intraday alerting script, this broad file-reading behavior is unnecessary and increases exposure to accidental secret harvesting from unrelated locations, especially if the process runs with elevated privileges or in a shared workspace.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template explicitly instructs sourcing /workspace/.env before executing a push script, which exposes all environment secrets to the shell context of a skill-defined command. In an agent-skill setting, this is dangerous because any modified or compromised script invoked afterward can read and exfiltrate those credentials, and the prompt normalizes secret loading as part of routine operation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently reads a webhook credential from local .env files and injects it into the environment without any user-facing disclosure in this file. Hidden credential use reduces transparency and can cause operators to run code with secrets loaded into process scope without realizing the script has access to them.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script defines a function that sends arbitrary report text to an external WeCom webhook, but this outbound transmission is not clearly disclosed where the script's behavior is described. In agent/skill contexts, undisclosed external transmission is risky because it can leak generated content or sensitive context beyond the local environment.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.