Zonebourse

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it asks users to export and persist raw ZoneBourse login cookies in a local plaintext file.

Review before installing. Only use this skill if you are comfortable exporting ZoneBourse session cookies into a local plaintext file. Treat cookies.txt like a password: do not share it, commit it, back it up to shared storage, or leave it readable by other users. Rotate/logout the ZoneBourse session if the file may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents using subscriber session cookies to access premium ZoneBourse content and stores them locally for reuse. Session cookies are authentication artifacts; exposing, copying, or reusing them outside a secure browser context creates credential-handling risk and enables unauthorized account access if the file or workspace is compromised.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to manually copy subscriber cookies into a local plaintext file without clear warnings about credential sensitivity, theft risk, or misuse. This weak secret-handling practice increases the chance of accidental disclosure through filesystem access, backups, logs, or repository inclusion, leading to account takeover or paid-content abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal