Fx Radar

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward exchange-rate lookup tool that contacts public finance data sources and does not access private local data or make system changes.

Install if you are comfortable with the skill making outbound requests to Yahoo Finance and frankfurter.app for exchange-rate data. In stricter environments, require an explicit network allowlist and narrower trigger phrases; treat its market commentary as informational rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill performs outbound network access to Yahoo Finance via `requests.get(...)` but does not declare any permissions. Undeclared network capability is a real security and governance issue because it bypasses user/operator expectations about what the skill can access externally, and in an agent environment it can enable unintended data egress or supply-chain dependence on remote content.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger description contains very broad phrases such as '汇率', '外汇', and '换汇', which are likely to match ordinary conversation and cause over-invocation. In an agent system, overly broad routing is dangerous because it can unexpectedly activate networked behavior, expose user prompts to external lookups, and interfere with more appropriate skills or core assistant behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal