Digital Oracle

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public market and financial web data for analysis, with some privacy and provenance caveats but no hidden trading, credential theft, or destructive behavior found.

Install only if you are comfortable with the agent making outbound requests to public financial APIs, DuckDuckGo, and web pages based on your question. Avoid using it with confidential research topics unless that network exposure is acceptable, and do not enable snapshot recording for sensitive queries unless you control and later clean up the snapshot directory. Treat the Stooq provider as a Yahoo Finance compatibility wrapper when evaluating data provenance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents executable code paths with network, filesystem, and environment capabilities but declares no permissions, which creates a dangerous transparency gap for any host that relies on permission metadata for sandboxing or user consent. In context, the skill performs broad external data retrieval and may write dependency artifacts, so undeclared capabilities could lead to unintended outbound requests, local file access, or data exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The public description frames the skill as a narrowly scoped market-data oracle, but the workflow and provider list expand into arbitrary web search/fetch, non-market data collection, and generic concurrent execution. This mismatch can mislead users and orchestration systems about what the skill will access, increasing the chance of unexpected network reach, prompt-scope expansion, and unsafe invocation in sensitive contexts.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This is a real integrity and transparency issue: the provider is named and presented as Stooq-backed, but all history retrieval is delegated to Yahoo Finance. In a skill that answers probability and market questions using traded data, misrepresenting the upstream source can lead to incorrect trust assumptions, different licensing/compliance expectations, and materially different market data semantics or availability.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The docstring and display metadata suggest Stooq sourcing while the implementation uses Yahoo Finance, creating misleading provenance for financial data. In this skill's context, source provenance matters because users may rely on specific market feeds for forecasting, and hidden source substitution can skew analysis, break auditability, or violate user expectations about coverage and timeliness.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The provider materially exceeds the declared skill scope by performing arbitrary web search and webpage fetching rather than restricting itself to market/trading data sources. In an agent setting, this can pull in untrusted internet content, broaden data exfiltration and prompt-injection exposure, and mislead users into believing outputs are derived from market signals when they may actually come from general web pages.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly encourages agents to install the project, read SKILL instructions, and call many external market-data providers, but it does not clearly disclose that user prompts and derived query terms may be sent to multiple third-party services. In an agent setting, that can leak sensitive user intent, proprietary research topics, or regulated financial inquiry context to external endpoints without informed consent.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The activation criteria are extremely broad, covering geopolitics, economics, markets, industries, and general probability questions, which can cause the skill to trigger in many ambiguous situations. In context, that matters because the skill has expansive networked data-gathering behavior; over-broad routing increases the chance of unnecessary external calls, unexpected tool use, and application in domains the user did not intend.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The recording client persists full request parameters and raw HTTP responses to disk in snapshot files with no filtering, redaction, or consent boundary. In this skill's context, requests and responses may contain API keys, market/account identifiers, query terms, or proprietary/paid data, so local snapshot files can become a sensitive-data disclosure channel if logs are retained, shared, or checked into source control.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal