Stock Quote

Security checks across malware telemetry and agentic risk

Overview

This stock quote skill is low risk: it fetches requested market prices from Yahoo Finance and does not show hidden or destructive behavior.

Install if you are comfortable with requested ticker symbols being sent to Yahoo Finance. Use explicit stock, ETF, or crypto tickers when invoking it, and consider pinning Python dependencies if your environment requires stricter supply-chain controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases "Is the market up today?" and "How's the market doing?" are broad enough to collide with normal conversational queries, causing the skill to activate when the user may not have intended to invoke it. Over-broad activation can lead to unnecessary external requests and unintended disclosure of user prompts to the backing data source or skill runtime.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal