Back to skill

Security audit

Price for Agent

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only price lookup skill that sends market price requests to its declared API, with a privacy caveat around query text and agent identifiers.

Safe to install for market price lookups. Keep the generated API key private, and avoid sending portfolio holdings, trading plans, account details, or other sensitive personal information in natural-language queries to the price API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broadly phrased around common requests for prices, market data, and asset values, which can cause over-triggering in unrelated or only loosely related conversations. In an agent environment, broad activation increases the chance that user queries and identifiers are unnecessarily routed to the external service, expanding data exposure and unintended tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs the agent to send natural-language queries and an agent identifier to a third-party API without any warning, consent flow, or data-handling guidance. This is dangerous because user prompts may contain sensitive financial interests or other incidental personal data, and the registration endpoint also transmits a persistent identifier to the external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.