Back to skill

Security audit

Wyckoff Screen

Security checks across malware telemetry and agentic risk

Overview

This stock-screening skill mostly fits its stated purpose, but it embeds a market-data credential and sends authenticated requests to an undisclosed plain-HTTP IP endpoint.

Review before installing. The stock-screening behavior is broadly coherent, but the publisher should remove and rotate the embedded Tushare token, stop using or clearly justify the plain-HTTP IP endpoint, document all external data providers, and add confirmation/configuration for broad scans and local persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill documentation describes writing market data into a local SQLite database but does not declare corresponding permissions. Undeclared write capability reduces transparency and informed consent, and can lead to unexpected persistence of data on the host system even if the data itself is not highly sensitive.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a substantial documentation-behavior mismatch: the skill claims a limited stock-screening purpose, while the analysis indicates additional external services, local persistence, file output, a hardcoded API token, and incomplete market coverage. Such hidden behavior is dangerous because users and reviewers cannot accurately assess what data is accessed, where it is sent, or what credentials are embedded, increasing supply-chain and secret-exposure risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to activate on ordinary conversational requests like 'today what should I buy' or 'help me see what can be bought.' Over-broad activation can cause unintended execution of external market scans and local data writes without clear user intent, which is especially concerning in a skill that fetches third-party data and persists results.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow explicitly says daily data is stored in a local SQLite database, but the description does not warn users about this persistence. Hidden storage is dangerous because it creates unexpected artifacts on disk, affects privacy and system state, and can accumulate significant historical data without user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file hardcodes a live Tushare API token directly in source code and then uses it for authenticated requests. Hardcoded secrets are vulnerable to source leakage, repository exposure, log disclosure, and unauthorized reuse by anyone who can read the code, which can lead to account abuse, quota exhaustion, billing or service impact, and compromise of associated data access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The adapter overrides the API endpoint to use plain HTTP to a fixed IP address, causing outbound requests to be sent without transport encryption and without any user disclosure. This exposes API credentials and returned market data to interception or tampering by network attackers and also increases supply-chain risk because the code bypasses the normal trusted service endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.