cn-hk-dividend-fhpg-api

Security checks across malware telemetry and agentic risk

Overview

This is a read-only dividend-data skill with one documentation mismatch that could confuse financial-analysis scope but no hidden execution, credential access, persistence, or destructive behavior.

Install only if you want an agent to answer dividend and allotment questions using the disclosed API. Verify the API base URL and prefer HTTPS or a trusted override before use, and do not rely on this skill for revenue, profit, ROE, debt ratio, forecasts, or investment advice unless you add a verified financial-statement data source.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill documentation contradicts itself by earlier stating that no financial statement interface is implemented, then later providing sample output that claims conclusions about revenue, net profit, ROE, and debt ratio. This can cause the agent to fabricate unsupported financial analysis or overstate capability, leading to misleading investment-related responses based on unavailable data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal