Back to skill

Security audit

Initiation of Coverage Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate listed-company research reports through a disclosed EastMoney API call and save returned report files locally.

Install this only if you trust the publisher and are comfortable providing an EastMoney API key. Avoid including confidential or non-public information in report prompts because the original query is sent to EastMoney, and choose an output directory where generated PDF/DOCX files can be stored safely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger rules are intentionally very broad, including generic requests such as 'write a research report on XX company,' which can cause the skill to activate for common financial-analysis prompts beyond true deep-dive coverage use cases. Overbroad activation is dangerous because it can route benign or unrelated user requests into a workflow that performs network calls, file generation, and structured output automatically, increasing the chance of unintended external data access or incorrect tool use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.