Back to skill

Security audit

ETF投资助理

Security checks across malware telemetry and agentic risk

Overview

The ETF assistant’s main features match its purpose, but its calculator can run unintended shell commands if given specially crafted numeric inputs.

Review before installing. The quote and comparison features send ETF symbols to Yahoo Finance, which fits the skill’s purpose and is disclosed in the documentation. The main concern is the calculator: only use trusted, plain numeric amount and year inputs, and avoid letting untrusted text be passed into this script until the author adds numeric validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.