ENI收割者v14

Security checks across malware telemetry and agentic risk

Overview

This is a small stock-market data helper with some poorly worded stealth/rate-limit language, but the artifacts do not show hidden access, credential use, persistence, destructive behavior, or data theft.

Before installing, confirm you are comfortable with live AkShare market-data requests and consider pinning dependency versions. Treat the randomized delay as a compliance warning: do not use or modify this skill for aggressive scraping, rate-limit evasion, or provider rule bypass.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The description explicitly markets the skill as using 'stealth' fetching with randomized delays, which suggests an attempt to conceal or obfuscate automated network behavior rather than simply implementing ordinary rate limiting. Even though the code only sleeps before a single AkShare request, framing the behavior as hidden or stealthy normalizes evasive access patterns and could be repurposed for scraping or abuse in agent environments.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The skill performs an external data fetch from AkShare without any user-facing notice, consent prompt, or disclosure that remote access will occur. In an agent setting, undisclosed network access can expose usage metadata, create compliance issues, or violate user expectations even when the fetched data itself is benign market information.

Unpinned Dependencies

Low

Category: Supply Chain
Content: akshare pandas
Confidence: 95% confidence
Finding: akshare

Unpinned Dependencies

Low

Category: Supply Chain
Content: akshare pandas
Confidence: 98% confidence
Finding: pandas

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal