Back to skill

Security audit

Justice Plutus

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local stock-analysis runner with disclosed optional external services and notifications, but users should be careful with API keys and report sharing.

Install only if you trust the local JusticePlutus code that this wrapper will run. Provide only the credentials needed for the mode you use, and enable --notify only after confirming the destination channel is appropriate for the report contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports notification delivery to Feishu, Telegram, and other channels, but the description does not clearly warn that report contents, stock codes, and analysis outputs may be transmitted to third-party services when `--notify` is used. This creates a real data disclosure risk because users may assume the workflow remains fully local-first unless they infer the exception from the command text.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises optional integrations with multiple external search, chip, and iFinD services and lists their API keys, but it does not clearly disclose that using these enhancements may send stock queries, prompts, and related analysis inputs to third-party providers. In a tool described as 'local-first,' this omission can mislead users about the trust boundary and cause unintended external sharing of sensitive research activity or proprietary query context.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The overview explicitly states that the skill writes reports to local disk and can send notifications to external channels such as Feishu or Telegram, but it does not clearly warn users about persistence of potentially sensitive analysis outputs or outbound transmission. In a local analysis skill this is not inherently malicious, but the lack of explicit disclosure can lead to unintended data exposure, especially if reports contain proprietary prompts, stock selections, or derived insights.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.