Security audit

Stocktorch

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is coherent and purpose-aligned, with disclosed web searches, local report generation, and no credential, trading, or destructive authority.

Before installing, confirm you are comfortable with stock names and queries being sent to web search providers, and verify that any referenced run_skill.py/docs files come from the same trusted package before running them. Review generated reports and cited timestamps before relying on any investment suggestion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs generating and saving reports into a local reports/ directory without telling the user that filesystem writes will occur. Silent file creation can surprise users, overwrite existing artifacts, leak sensitive analysis to shared storage, or accumulate persistent data beyond the user's expectations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The market analysis flow again mandates saving generated output locally, creating the same silent persistence risk in a workflow that may be triggered by a simple question like asking about the market. Because this can happen during routine conversational use, the chance of unintended filesystem modification is higher.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal