topic-research-report

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says by calling Eastmoney to generate research reports, but its advertised no-save option is inconsistent with the code and may still write returned documents locally.

Install only if you are comfortable providing an Eastmoney EM_API_KEY, sending research queries to Eastmoney, and receiving local DOCX/PDF files generated by that service. Do not rely on --no-save to prevent file writes until the implementation is fixed, and treat generated documents as untrusted external files before opening them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The function sends the user's natural-language query directly to an external Eastmoney API endpoint, which can expose sensitive prompts, proprietary research topics, or regulated data if users include them. In this runtime flow there is no consent prompt, warning, redaction, or policy gate before transmission, so users may unknowingly disclose sensitive information to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal