Security audit
ETF投资助理
Security checks across malware telemetry and agentic risk
Overview
The ETF assistant’s main features match its purpose, but its calculator can run unintended shell commands if given specially crafted numeric inputs.
Review before installing. The quote and comparison features send ETF symbols to Yahoo Finance, which fits the skill’s purpose and is disclosed in the documentation. The main concern is the calculator: only use trusted, plain numeric amount and year inputs, and avoid letting untrusted text be passed into this script until the author adds numeric validation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.
