华尔街股票分析系统

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis instruction skill that fetches public market data and does not request credentials, local files, persistence, or trading authority.

Before installing, be comfortable with the agent making live requests to third-party finance data providers when you ask for stock analysis. Verify investment conclusions independently; the skill does not trade, access accounts, or handle credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger condition uses the catch-all phrase “或类似指令” (“or similar instructions”), which makes skill activation boundaries ambiguous. In an agent environment, vague activation can cause unintended invocation on loosely related user input, increasing the chance of accidental tool use, confused routing, or prompt collisions with other skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal