Gprophet Api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a paid G-Prophet financial analysis API, with normal cautions around API-key handling, billable usage, and optional webhooks.

Install only if you are comfortable giving an agent access to a G-Prophet API key that can consume paid points. Store the key outside checked-in config, monitor usage and quotas, verify any external SDK or MCP package before running it, and use callback_url only with trusted endpoints because analysis results will be POSTed there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The MCP server example places the API key directly inside a JSON config value, which normalizes storing credentials in plaintext configuration files. If users copy this pattern into checked-in config, shared dotfiles, backups, or logs, the key can be exposed and abused for unauthorized API access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports sending async analysis results to a user-supplied callback_url, which creates an outbound data exfiltration path to arbitrary endpoints. Without documentation warning about privacy implications, SSRF risk controls, authentication/signature verification, or destination allowlisting, integrators may expose sensitive analysis outputs or internal network reachability through webhook delivery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal