Finance News Assistant

Security checks across malware telemetry and agentic risk

Overview

This finance-news skill is instruction-only and uses a disclosed stock API for its stated purpose, with no hidden execution or destructive behavior found.

Install only if you trust the fixed stock API provider at tczlld.com. Use a scoped STOCK_API_TOKEN, configure Feishu delivery only for intended recipients, and independently verify prices, news, and any buy/sell or position suggestions before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs sending stock codes to a remote AI decision endpoint and using an authorization token, but it provides no user-facing disclosure that requests and associated metadata will leave the local environment. Even if stock codes are not highly sensitive by themselves, undisclosed external transmission can expose user interests, trading intent, request metadata, and operational secrets to a third party, especially in a finance context where access patterns may be sensitive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal