Back to skill

Security audit

uwillberich

Security checks across malware telemetry and agentic risk

Overview

This finance-analysis skill is coherent and disclosed, but it uses a third-party API key, writes local market-analysis files, and includes an optional background news poller users should enable deliberately.

Install only if you want a live finance workflow that stores an Eastmoney API key locally, queries external finance/news services, and writes reports under ~/.uwillberich. Do not run the launchd or nohup commands unless you intentionally want recurring background polling, and review the generated state directory if you later want to clean up stored alerts and watchlists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and orchestrates capabilities including environment access, local file reads/writes, shell execution, and network access, yet it declares no permissions or boundaries. That creates a transparency and consent failure: an invoking agent or user may treat it as a simple analysis skill while it can access credentials, persist data, and call external services. In this context, the required EM_API_KEY, runtime.env storage, and installable background job make the undeclared capability surface materially more dangerous than a normal read-only market commentary tool.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is a narrow pre-open A-share decision workflow, but the documented behavior extends into persistent RSS collection, local database/JSONL storage, background job installation, generic API querying, benchmarking, and export tooling. This mismatch is dangerous because it can cause overbroad invocation and user trust in a seemingly focused market-analysis skill while enabling persistence, data accumulation, and system modification that are unrelated to the stated task. The presence of continuous polling and launchd installation significantly raises the risk beyond a harmless feature mismatch.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation describes a persistent RSS-ingestion and alert-generation subsystem that materially expands the skill from a discretionary planning aid into an always-on data collection and automated watchlist production tool. This increases operational scope, storage of local data, and autonomy beyond what a user would reasonably expect from a next-session A-share planning skill.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Writing multiple persistent artifacts and auto-generated watchlists broadens the skill from analysis into stateful data production and workflow automation. If users do not expect files and derived trading lists to be created, this can create hidden side effects, data sprawl, and unintended downstream use in decision-making.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The continuous loop and background deployment instructions introduce a long-running service capability that is not necessary for a simple discretionary planning workflow. Long-lived background processes increase persistence, resource consumption, and the chance that the skill operates outside the user's awareness.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script installs and removes a persistent macOS LaunchAgent that runs on a timer and at load, which is capability far beyond the stated market-planning role of the skill. In a skill context, persistence and background execution increase attack surface and can enable covert ongoing data collection or repeated external calls without clear user expectation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The helper wraps arbitrary subprocess execution and is then used for launchctl service management, giving the skill OS-level persistence control unrelated to generating A-share game plans. Even without shell injection, this is an unnecessary capability escalation for the advertised purpose and makes abuse or repurposing easier.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code hard-gates functionality on an external Eastmoney API key and introduces vendor-specific capability logic that is not reflected in the skill's stated market-planning purpose. This creates hidden dependency and data-flow risk: operators may be induced to provision third-party credentials and route usage through an external service without that trust boundary being clearly disclosed in the manifest.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file provides CLI commands to persist, unset, and report status for a third-party API credential in a local runtime.env file, extending the skill into credential management. Even without overt exfiltration, persistent secret handling for an external vendor increases attack surface and is not obviously necessary for a discretionary A-share planning workflow as described.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README recommends installing a scheduled `launchd` polling service without clearly warning that it will create persistent background execution with recurring network access. In an agent-skill context, this increases operational risk because users may enable continuous data collection and outbound requests without understanding the persistence and resource implications.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation language is broad enough to match common market-related prompts, increasing the chance the skill is auto-selected in situations where the user did not intend to authorize its heavier capabilities. In this skill, that risk is amplified because selection may lead to scripts that access env vars, write files, contact third-party services, or set up ongoing polling, so broad routing language has meaningful security consequences rather than being a mere UX issue.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default prompt is broad and enables implicit invocation for loosely related user requests, which can cause the skill to trigger without clear user intent or sufficient scope boundaries. In an agent setting, this increases the chance of over-activation, context misuse, or unintended financial-style guidance being produced when the user did not explicitly ask for this specific workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes the very broad term "energy", which is a common everyday word and can match many unrelated market, macro, or utility discussions. In this skill, broad trigger matching can cause unintended theme activation and distort downstream A-share sector analysis, reducing precision and potentially surfacing irrelevant oil/coal themes.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The text describes continuous polling, local storage, and automatic generation of outputs without an upfront warning that the module performs persistent writes and may run long-term. This can mislead users about operational side effects and make consent to background activity insufficiently informed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs outbound network requests to feed URLs taken from configuration without any allowlist, scheme restriction, or destination validation. If an attacker can influence the config, this can be abused for SSRF-style access to internal resources or unexpected connections, and the fetched content is then parsed and persisted, increasing exposure to malicious inputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.