stock-insight

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese stock-analysis skill with no code execution or private-data access, but it can produce concrete trading suggestions that users should treat cautiously.

Install this only if you want a Chinese-language stock research assistant. Check live market data yourself, narrow activation triggers if accidental use would be disruptive, and do not treat generated buy/sell ranges, stop losses, or targets as personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest includes very broad trigger phrases such as common requests like '分析一下', '研究', and '怎么看', which can cause the skill to activate in many unrelated conversations. Over-broad activation increases prompt-routing risk, allowing this finance-oriented skill to hijack benign requests and steer users into domain-specific outputs or investment-style guidance when not intended.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The skill metadata and content prescribe Chinese-language interaction without indicating any user language negotiation or fallback. This can override user expectations, reduce transparency, and create unsafe misunderstandings when financial analysis and action recommendations are delivered in a language the user did not request or may not fully understand.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal