Stock Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a simple stock watchlist skill with disclosed local storage and market-data API use, though its documented helper scripts are not included in the submitted artifact.

Install only if you are comfortable with a Chinese-language stock watchlist skill that stores symbols locally and contacts Sina or Tencent for quote data. Be careful with clear_watchlist.py because it is intended to remove saved watchlist entries, and verify any referenced scripts come from the intended skill directory before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill content is entirely in Chinese while the surrounding ecosystem and triggering context may be used by multilingual users, and it does not provide a language choice or opt-in. This can cause users or agents to misunderstand capabilities, storage locations, commands, or side effects, which is a security-relevant usability issue because misunderstood instructions can lead to unintended execution or data modification.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal