Get company fact and information by ticker or CIK

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow wrapper for looking up public company facts through apipick, with no executable code or hidden privileged behavior found.

Install only if you are comfortable giving your agent access to an apipick API key and having company lookups sent to apipick.com using that credential. Prefer setting APIPICK_API_KEY as an environment variable rather than pasting the key into chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README describes usage and API key requirements but does not clearly warn that user-supplied identifiers or company queries will be transmitted to a third-party service using the user's API credential. In most cases ticker symbols and public-company identifiers are not sensitive, so the impact is limited, but the omission can still mislead users about external data sharing and credential-backed requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal