investoday-stock-news-event-analysis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-news analysis skill that queries Investoday market data and does not show hidden storage, destructive behavior, or unrelated access.

Install this only if you trust Investoday and the separate investoday-finance-data helper skill. Use a protected API key, and remember that stock queries may be visible to the data provider; the skill explicitly frames output as reference analysis rather than investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger keywords are broad, generic stock-chat terms such as '最近新闻', '消息面', and '利好利空', which can match many ordinary finance queries beyond this skill’s intended scope. This increases the chance of unintended activation, causing the agent to invoke external market-data workflows unnecessarily and potentially override a more appropriate skill or response path.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation scenarios describe when to use the skill but do not define clear non-trigger conditions or disambiguation boundaries with related skills. In an agentic system, this ambiguity can lead to over-invocation on loosely related finance questions, increasing unnecessary external API access and raising the risk of incorrect tool selection and misleading analysis output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal