Security audit

investoday-stock-message-analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a finance news-analysis skill whose external lookups fit its stated purpose, with only a minor over-broad activation concern.

Install only if you want an agent to use network/current-data lookups for stock-news interpretation. Review its trigger phrases if you want tighter activation, and treat any market analysis as informational rather than trading instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad, common phrases such as '最近新闻', '消息面', and '利好利空', which can match ordinary finance conversations and cause the skill to activate when the user did not explicitly request this specific workflow. In an agent system, over-broad activation can route user input to the wrong skill, leading to unintended tool calls, unnecessary external data access, and reduced reliability of downstream analysis.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation scenarios are described broadly and do not clearly define boundaries or non-trigger cases, so adjacent requests like general market commentary or intraday price-move explanations may incorrectly invoke this skill. That ambiguity increases the chance of misrouting, which is especially relevant here because the skill performs multiple external financial-data lookups once triggered.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal