comparable-company-analysis

Security checks across malware telemetry and agentic risk

Overview

This is a coherent financial reporting skill that uses a disclosed Eastmoney API key, sends company queries to the API, and writes a local Excel report.

Install only if you intend to use Eastmoney's comparable-company API and are comfortable sending company queries to that service with EM_API_KEY. Treat console output from the debug fetch script as potentially containing full API response data, and avoid running it in shared logs or notebooks if the analysis is sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module states that raw API payloads are not persisted locally, but the CLI prints the full result object, including the raw response, to stdout. In many environments stdout is captured by shells, notebooks, CI logs, agent traces, or orchestration platforms, so sensitive third-party data can still be unintentionally retained or exposed despite not being written to a file directly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal