US Stock Analysis Lite

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward stock research helper that uses public web data and does not request local files, credentials, persistence, or control over user accounts.

Install it as a first-pass public-market research aid, not as investment advice. Expect ticker or company queries to be searched on the web and verify important figures against SEC filings or trusted market-data sources. Do not provide brokerage credentials, account details, or private portfolio information because this skill does not need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example trigger phrases are broad, ordinary-language requests like 'Quick fundamental check on AAPL' and 'Is NVDA overvalued? Give me the basics,' which can plausibly match normal user conversation and cause the skill to activate unexpectedly. Unintended invocation can lead to surprise external web searches/fetches and stock-analysis responses when the user did not explicitly mean to use this skill.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill requires web_search and web_fetch, but the user-facing description does not clearly warn that it will query external sites and retrieve remote content. This reduces user awareness and informed consent, especially because financial queries may be sensitive and remote content can introduce privacy and content-trust risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal