AIGroup Market MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent China-market data connector; its main risk is that it runs an external npm MCP server and uses a Tushare API token.

Before installing, confirm you trust the external `aigroup-market-mcp` npm package and use a Tushare token with only the access you are comfortable granting. Expect the skill to activate for China-market data requests; the reviewed artifacts do not show hidden collection, destructive behavior, or persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: This manifest allows implicit invocation but does not define clear trigger phrases, scope limits, or exclusion conditions. That ambiguity can cause the skill to activate on loosely related China-market requests beyond the author's intended context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal