A Share Metrics Card

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public A-share stock data and writes a local Markdown summary, with no evidence of hidden or unrelated behavior.

Before installing, expect the stock symbol to be sent to public market-data services and expect a Markdown file to be created or replaced locally. Keep the output path inside an intended notes folder, and install any required Python dependencies only from trusted package sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly performs network retrieval and writes a Markdown file, but it declares no permissions or user-facing authorization for those capabilities. This can lead to silent external data access and filesystem modification, which increases the risk of unintended writes, misuse of inherited agent privileges, and reduced auditability.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to write Markdown to outputPath, including a default path, but does not warn the user that it may create or overwrite files. If outputPath is user-controlled or reused, this can clobber existing notes, create files unexpectedly, or be abused for path-manipulation within the agent's writable area.

VirusTotal

40/40 vendors flagged this skill as clean.

View on VirusTotal