A Stock Holding Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local A-share holdings monitor, with a privacy caveat because it saves recent portfolio status in a temporary file.

Install only if you are comfortable putting your holding details into the script. On a shared or multi-user machine, change the output path from /tmp/holding_check.json to a private user directory with restrictive permissions before running it from cron.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script persists detailed holding status, including prices, profit/loss, support, stop-loss, and trading signals, to /tmp/holding_check.json even though the skill is presented as a monitoring/reminder tool. Writing sensitive financial data to a world-accessible temporary location can expose portfolio information to other local users or processes and creates unnecessary data retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal