Back to skill

Security audit

China Stock Data

Security checks across malware telemetry and agentic risk

Overview

This stock-data skill is mostly coherent, but it ships an exposed third-party API token and includes under-scoped guidance for bypassing provider limits and modifying browser-agent behavior.

Install only if you are comfortable auditing and removing the bundled Tushare token first, supplying your own credentials through environment variables or a secret store, and avoiding the proxy/IP-rotation guidance. Treat the browser/PDF workflow as optional and run it only with explicit file-download approval in a contained environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This reference materially expands the skill from market-data retrieval into full browser automation, local environment patching, and file download/parsing workflows. In an agent setting, these capabilities increase the accessible attack surface by enabling interaction with arbitrary JS-rendered pages, writing files to local storage, and modifying runtime behavior via environment variables, which is beyond what users would reasonably expect from a stock-data skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented workflow instructs the agent to click download controls, save PDFs to ~/Downloads, and run local Python code to extract text from those files. That crosses from data lookup into local file creation and processing, which can be abused for unwanted disk writes, processing of untrusted documents, and capability creep inside the agent environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document explicitly recommends using a proxy pool with multi-IP rotation to continue accessing a service after the server IP was rate-limited or temporarily banned. That guidance facilitates deliberate evasion of provider access controls and can lead to terms-of-service violations, further blocking, or abuse of third-party proxy infrastructure. In a stock-data aggregation skill, this is more dangerous because it operationalizes bypass techniques for production use rather than documenting compliant fallback behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
These notes explicitly recommend adding jitter, enforcing connection pacing, and rotating across multiple TDX servers to reduce detection and avoid IP blocking. That goes beyond normal resiliency guidance and provides operational advice for evading provider rate limits and anti-abuse controls, which can enable unauthorized or policy-violating scraping at scale.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds and initializes a live third-party Tushare Pro API token directly in source. Hardcoded credentials are dangerous because anyone with access to the skill code can extract and misuse the token, leading to unauthorized API consumption, account abuse, quota exhaustion, and possible attribution of malicious activity to the token owner.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file adds SEC EDGAR functionality for U.S. equities even though the skill is declared as a China A-share data-source skill. That scope mismatch is dangerous because it introduces undeclared external network access and data-handling capability that users, reviewers, or policy controls may not expect, weakening trust boundaries and making it easier to hide unrelated or unauthorized behavior inside a seemingly narrow skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown describes anti-rate-limit tactics, including user-agent rotation and multi-IP proxy rotation, without any warning that these measures may violate service terms, trigger account suspension, or constitute circumvention of access restrictions. Even though this is documentation rather than executable code, it meaningfully enables misuse by operators maintaining the skill. The financial-data context does not justify bypassing provider controls; instead it increases risk because scraping pressure may be continuous and automated.

Missing User Warnings

High
Confidence
100% confidence
Finding
A hardcoded Tushare API token is a real secret exposure. In an agent skill context, distributing code with embedded credentials is especially risky because many users or systems may clone, inspect, or run the skill, allowing the credential to be harvested and abused at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.