Security audit

Mx Search

Security checks across malware telemetry and agentic risk

Overview

This skill coherently performs user-requested financial news search, using a disclosed API key and saving search results locally.

Install only if you trust Eastmoney/Miaoxiang with your financial search queries and API key use. Set MX_APIKEY in a trusted environment, avoid putting sensitive non-query data in prompts, and direct output to a dedicated workspace directory rather than system or shared folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The script accepts an arbitrary output directory from the command line and writes files there without restriction or validation. In a privileged or multi-tenant execution context, this expands the skill from search into arbitrary file write behavior, which can overwrite or place data in unintended locations and may facilitate misuse of the host filesystem.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal