MoltStreet News

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public MoltStreet market analysis and does not request credentials, local files, persistence, or trading authority.

Install only if you are comfortable sending ticker symbols or market search topics to MoltStreet. Treat the results as research context, verify important claims against cited sources, and do not rely on it as personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation guidance uses very broad phrases such as general requests for market news, financial news, or why major ETFs/stocks are moving. In an agent environment, this can cause the skill to trigger on routine finance questions even when the user did not intend to invoke this external data source, leading to unintended tool use and over-broad collection or presentation of third-party content.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The skill instructs the agent to fetch remote content via curl from an external domain but does not tell the agent to inform the user or obtain confirmation before making network requests. This is a security and privacy concern because the agent may contact third-party infrastructure unexpectedly, exposing metadata and creating hidden external dependencies in response to ordinary user prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal