Back to skill

Security audit

Capital Flow Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Chinese A-share capital-flow helper with expected external market-data lookups and no evidence of hidden or destructive behavior.

Reasonable to install for stock capital-flow analysis experiments. Be aware that stock codes may be queried through akshare and its upstream data sources, dependencies are not version-pinned, and the advertised Dragon Tiger List function appears missing in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description is too broad and underspecified for a finance-related skill, which increases the chance that an agent invokes it in the wrong context or without sufficient user intent. In capital-markets workflows, ambiguous routing can lead to inappropriate data access, misleading analysis, or unintended financial decision support.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
A description that is only in Chinese without clarifying locale expectations can cause agent-selection errors in multilingual environments and may make the skill's purpose opaque to orchestrators or reviewers. This is primarily a quality and governance risk, but in financial contexts it can still contribute to incorrect tool invocation or misunderstood outputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.