Back to skill

Security audit

Finance Reporter Publish

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public market prices from Yahoo Finance and prints a report; its main risks are disclosure and documentation gaps, not hidden or harmful behavior.

Install only if you are comfortable with the skill making outbound requests to Yahoo Finance. Add the cron job only if you want recurring reports, and remove it when no longer needed. Treat DingTalk/WeChat push claims as incomplete unless you separately configure and verify a messaging integration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly relies on Yahoo Finance data and uses curl/python requests, which implies outbound network access, yet no permissions are declared. Undeclared network capability weakens user consent and platform policy enforcement because the skill can reach external services without transparent capability disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advertises scheduled pushes to DingTalk/WeChat but does not clearly warn that fetched market data and possibly report metadata will be transmitted to external messaging platforms. This creates a transparency and data-governance risk, especially in enterprise environments where outbound integrations may require approval or auditing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"python": ">=3.8"
  },
  "dependencies": {
    "requests": "^2.28.0"
  }
}
Confidence
90% confidence
Finding
"requests": "^2.28.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.