Back to skill

Security audit

财政数据采集分析

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned financial data collection skill with normal scraping and local export risks, not evidence of malware or deception.

Install only if you are comfortable with the agent fetching financial data from the network and writing generated files in the workspace. Prefer running it in an isolated environment, pin and audit the Python dependencies, and review which sites it contacts and where it saves outputs before using it on sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run a pipeline that performs network access and writes files into the workspace, but the skill metadata does not declare those permissions. Undeclared capabilities reduce transparency and policy enforcement, making it easier for a skill to exceed expected trust boundaries or be executed in environments that did not explicitly authorize network and filesystem effects.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
lxml
openpyxl
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
lxml
openpyxl
Confidence
98% confidence
Finding
beautifulsoup4

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
lxml
openpyxl
Confidence
98% confidence
Finding
lxml

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
beautifulsoup4
lxml
openpyxl
Confidence
98% confidence
Finding
openpyxl

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
lxml

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
95% confidence
Finding
openpyxl

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.