F-AI 金融数据

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed financial market-data skill whose network calls and local installation behavior match its stated purpose.

Before installing, verify the npm package name and publisher because the manifest lacks a repository/source URL. Use it only for intended market-data lookups, and avoid sending confidential portfolio, customer, or internal business information to the external Finloop API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The installation trigger phrase '请为我安装如下 skill' is overly broad and can cause unintended activation outside a clearly scoped install workflow. In agent environments, vague triggers increase the chance that unrelated user content or quoted text causes the skill to be invoked, which can then lead to unexpected external requests or tool use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal