Back to skill

Security audit

Industry Research Agent

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: generates industry research reports through an Eastmoney API, using an API key and saving report files locally.

Install only if you trust the Eastmoney API integration and are comfortable sending the industry topic to that service under your EM_API_KEY. Use a dedicated API key, keep it in environment variables, choose an appropriate output directory, and avoid putting confidential business details in prompts for this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger criteria are broad enough to activate on many general analysis requests whenever an industry-like topic appears, which can cause the skill to run unexpectedly and make external API calls or generate files without clear user intent. In this skill's context, unintended invocation is more concerning because activation leads to networked report generation and local file creation, not just harmless formatting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.