Back to skill

Security audit

Financial Search Engine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed financial-news search skill that sends user queries and an Eastmoney API key to Eastmoney and can save retrieved results locally.

Install only if you trust Eastmoney's service with your search queries and EM_API_KEY. Use a revocable API key, avoid sending confidential portfolio or business-sensitive details in queries, and use --no-save when you do not want retrieved content written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation indicates use of environment variables, outbound network access to a third-party financial API, and local file writing, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: hosts or users may invoke the skill without understanding that it can access secrets, contact external services, and persist data locally.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The description advertises very broad natural-language financial search and analysis functionality without clear trigger boundaries or narrowing conditions. In agent ecosystems, overly broad activation can cause unintended invocation on loosely related prompts, leading to unnecessary external queries, data exposure to third parties, or user confusion about when the skill should run.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.