ETF投资助理

Security checks across malware telemetry and agentic risk

Overview

This ETF assistant is a small, purpose-aligned quote and calculator tool; its Yahoo Finance lookups are expected, but users should know ticker symbols are sent externally.

Installers should understand that price and comparison commands make outbound requests to Yahoo Finance with the ETF symbols they enter. Treat the output as informational only, and do not rely on this skill as financial advice or as a trading system.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The `price` command sends the user-supplied ETF code to Yahoo Finance without any notice that the skill performs outbound network access. This creates a privacy and transparency issue because user input is transmitted to a third party, even though the data sent is low sensitivity in this investment-assistant context.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The `compare` command performs two outbound requests using user-provided ETF codes and does not inform the user that external network access occurs. While the transmitted values are only ticker symbols, the lack of disclosure means the skill silently shares user input with a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal