content-stock

Security checks across malware telemetry and agentic risk

Overview

The skill is narrowly for stock-theme analysis, but it sends the user’s API key and query to an unspecified plain-HTTP endpoint.

Review before installing. Only use this skill if you can verify the real EasyAlpha endpoint, preferably an HTTPS hostname, and are comfortable sending stock-analysis queries to that service. Use a revocable, scoped API key and avoid sensitive trading strategies or confidential business information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation tells users to set an API key in an environment variable but provides no guidance on secure handling, storage, rotation, or avoiding accidental disclosure in logs and examples. In a skill that likely makes external API calls for stock/news analysis, this omission increases the chance of credential leakage or misuse, especially by less experienced users.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill sends both the bearer API key and user-supplied query to an HTTP endpoint, which provides no transport encryption or server authentication. This exposes credentials and potentially sensitive user inputs to interception or tampering by attackers on the network path, and the hardcoded placeholder-style IP target further reduces trust and accountability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal