天枢股票分析系统

Security checks across malware telemetry and agentic risk

Overview

This appears to be a stock-data helper that contacts a third-party finance API, with documentation issues but no evidence of hidden, destructive, or credential-stealing behavior.

Reasonable to install if you are comfortable sending stock symbols and query timing to Tencent Finance. Do not copy any sample code that disables TLS certificate or hostname verification; use normal HTTPS verification and avoid putting sensitive portfolio details into queries unless necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The sample code disables TLS certificate validation and hostname checking, and it also references an undefined SSL context, indicating insecure and incorrect network-handling guidance. Even in documentation, this can lead downstream implementations to copy unsafe patterns that permit man-in-the-middle interception or silent connection to untrusted endpoints.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill explicitly instructs outbound requests to a third-party financial API but provides no user-facing notice that stock codes, query timing, and dependency on an external service will be transmitted off-platform. In this context the data is not highly sensitive by default, but the lack of disclosure can create privacy, compliance, and reliability risks, especially in constrained or offline environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal