腾讯财经行情接口

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Tencent Finance quote lookup helper that sends market symbols to Tencent and does not modify local data or request credentials.

Safe to install for market quote lookup if you are comfortable sending requested symbols and request metadata to Tencent's public quote endpoint. Do not include secrets or private portfolio notes in query codes, avoid high-frequency polling, and treat returned market data as informational rather than investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger keywords include broad everyday phrases such as '查股价' and '查行情', which can cause the skill to activate in unintended contexts. Over-broad activation increases the chance of surprising network calls to a third party and incorrect routing of user requests, especially in environments with many overlapping finance-related skills.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The examples perform HTTP requests to a third-party service but do not clearly warn that queried symbols, source IP, headers, timing, and other request metadata will be disclosed to Tencent's endpoint. This is a real transparency/privacy issue, though the payload is limited to market symbols rather than obviously sensitive secrets in the examples.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal