investoday-stock-financial-analysis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only stock financial analysis skill that appears limited to public market data lookups and structured reporting.

Before installing, confirm you want this skill to handle A-share financial statement analysis and review the separate investoday-finance-data dependency, since it performs the actual data access. Avoid entering personal or confidential financial information; this skill is for public company analysis and does not provide investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger keywords listed in metadata are broad, generic finance terms that commonly appear in normal investing conversations. This can cause the skill to activate when the user did not intend a full financial-analysis workflow, leading to incorrect tool use, scope creep, or unintended disclosure of market-data lookups within a broader conversation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation scenarios describe when the skill may be used, but they do not clearly define boundaries for when it must not activate. In an agent setting, ambiguous routing increases the chance of unintended invocation, especially because nearby intents like valuation, trend analysis, and general company discussion substantially overlap with the listed scenarios.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal