Security audit

investoday-stock-anomaly-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill provides disclosed stock-movement analysis using public financial data and does not show hidden access, persistence, or unsafe actions.

Reasonable to install for public A-share stock movement analysis. Review the separate investoday-finance-data dependency if you need assurance about the underlying API behavior, and do not treat the output as investment advice or provide private account details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill declares very broad trigger phrases such as “为什么涨/为什么跌/拉升/跳水/盘中异动”, which are common expressions that may appear in ordinary conversation and can cause the skill to activate unintentionally. In an agent environment, over-broad activation can route unrelated user queries into a finance-analysis workflow, leading to incorrect tool use, confusion, and unnecessary exposure of external data access paths.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.