Market Chart Renderer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market chart renderer that writes generated chart files locally and uses browser-based rendering, with no evidence of hidden data access or destructive behavior.

Install only if you are comfortable with generated market chart files being written under output/generated/images, Chrome/Chromium being launched for screenshots, and generated HTML loading ECharts from a CDN. Review the separate AkShare data dependency if the source of market data matters to your workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation advertises execution paths that invoke Python and produce artifacts, implying shell execution and file writes, but it does not declare corresponding permissions. In an agent environment, undeclared capabilities are a security and governance problem because users and orchestration layers cannot accurately assess or constrain what the skill will do before running it.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The markdown states that outputs are written under `output/generated/images/` but does not clearly warn that running the skill modifies the repository workspace. This can lead to unintended file creation, polluted working trees, or accidental exposure of generated artifacts in shared or automated environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal