JoinQuant datasdk skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only JoinQuant data SDK skill whose credential and network use are expected for its stated purpose, but users should handle secrets carefully.

Install dependencies in a virtual environment, verify the jqdatasdk package source, and keep JoinQuant passwords or tokens in environment variables or a secret manager. Expect authentication details and data queries to be sent to JoinQuant when using the SDK.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README includes a direct username/password authentication example and demonstrates external market-data access without any warning about secure credential handling, secret storage, or the fact that credentials and requests are sent to a third-party service. In an agent-skill context, this can encourage users to hardcode credentials or paste real secrets into prompts, increasing the risk of credential leakage and unintended transmission of sensitive data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes authentication examples using raw usernames, passwords, and tokens without any guidance on secure secret handling. In an agent skill context, users may copy these examples directly, leading to hardcoded credentials in code, logs, notebooks, or prompt history where they can be exposed or reused by unauthorized parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal