Back to skill

Security audit

Gold Monitor Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed market-data lookup skill that makes read-only network requests for gold, USD index, and oil prices.

Install only if you are comfortable with a local Python helper making outbound requests to financial market-data services. Treat prices and investment signals as informational, verify important financial decisions independently, and keep normal caution around third-party Python dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly requires outbound network access to third-party market data providers, but no declared permissions are present in the skill metadata. This creates a policy and transparency gap: callers and the hosting platform cannot reliably enforce or review the skill's external communication behavior, which increases supply-chain and data-exfiltration risk if the implementation changes or the documented hosts are incomplete.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.