Stock Advisor Pro

Security checks across malware telemetry and agentic risk

Overview

This stock-advisor skill is mostly purpose-aligned, but it needs review because its documented local default does not match the remote API used by the code and it includes risky install guidance.

Review before installing. Set STOCK_ADVISOR_API_URL only to a backend you trust, avoid using a real API key until the provider's data handling is clear, replace the curl-to-shell install step with a verified installation method, and clear the bundled portfolio.json sample before using the portfolio feature.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README states that Deep Scan sends stock analysis requests to a cloud backend, but it does not clearly warn users that their queried tickers and possibly related usage data leave the local environment. In a plugin marketed partly around local privacy protection, this omission can mislead users into sharing financial-interest data with a remote service without informed consent.

External Script Fetching

Low

Category: Supply Chain
Content: 本插件建议使用 `uv` 运行脚本，它会自动处理依赖： ```bash # 确保已安装 uv curl -LsSf https://astral.sh/uv/install.sh | sh ``` ### 2. 配置环境
Confidence: 97% confidence
Finding: curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: 本插件建议使用 `uv` 运行脚本，它会自动处理依赖： ```bash # 确保已安装 uv curl -LsSf https://astral.sh/uv/install.sh | sh ``` ### 2. 配置环境
Confidence: 98% confidence
Finding: | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal