Yyqdata Stock Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a stock-data lookup purpose, but it also ships an under-disclosed updater and agent-visible admin/token-management documentation that goes beyond ordinary market-data queries.

Install only if you trust the publisher and are comfortable with a bearer token being used by an agent. Prefer a platform secret or 0600 config file over pasting the token into chat, avoid query-string authentication, and do not run update.sh unless you accept that it downloads and replaces the installed skill from the publisher’s server. Do not give the agent an admin/provisioning token; use a narrowly scoped data token only.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document explicitly claims the distributed zip contains only markdown and no executable code, but later instructs users to run a bundled update.sh script. This inconsistency is security-relevant because it can lower user suspicion and encourage execution of code they were told does not exist, increasing supply-chain and trust abuse risk.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as a markdown-only translator for REST calls, yet the guide describes bundled self-updating shell code and agent-driven manifest polling. That expands the trust boundary from static documentation to executable/update behavior, creating unnecessary supply-chain exposure and making the skill materially more dangerous than advertised.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill tells the agent to read tokens from multiple local config paths under home directories, expanding access to locally stored secrets beyond the declared source. This can cause credential harvesting from unrelated persisted files and breaks the principle of least privilege for a task that should only use in-session or platform-injected credentials.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document says tokens are user-provided in-session and must not be persisted, but later instructs the agent to load persisted tokens from config.json. This contradiction can mislead users and reviewers about how secrets are actually handled, increasing the chance of unauthorized credential reuse or silent access to stored secrets.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The documented surface includes privileged admin and token-management endpoints that are unrelated to a read-only market-data skill. In an agent setting, exposing or even documenting issuance, revocation, scope mutation, IP allowlist changes, and expiry controls dramatically expands the attack surface and creates a path for privilege escalation or unauthorized credential lifecycle operations if the skill routes are reachable.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Token lifecycle operations such as provision, revoke, rotate, apply-plan, renew, scope add/remove, IP add/remove, and path set enable direct modification of authorization state. For a query skill, these capabilities are unjustified and dangerous because a prompt-influenced agent could be induced to mint or alter credentials, widen access, or disable safeguards.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file discloses internal non-OpenAPI SYSTEM tables, including user records, token storage, audit logs, and strategy configuration tables, which exceeds the skill's stated purpose and leaks backend implementation details. Such information materially helps attackers map sensitive assets, target credential/token-related components, and craft more precise probing or social-engineering attempts even if the tables are not directly exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to paste a plaintext API token directly into chat, which may be retained in conversation history, telemetry, screenshots, or agent logs. The text even notes a whoami call will appear in backend logs, so the surrounding context increases the likelihood of sensitive credential exposure through normal platform behavior.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill directs access to local config.json files containing tokens without prominent warning that this is sensitive-secret access. In the context of an agent skill, normalizing reads from home-directory secret files increases the chance of overbroad credential exposure and weakens user expectations about what local data may be touched.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The fallback mode places the bearer token in the URL query string. Even though the document briefly notes logging risk, query-string credentials are commonly exposed in browser history, intermediary logs, referrers, and monitoring systems, making credential leakage more likely.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instructions tell users to provide a secret token in chat, have the agent retain it for the session, and acknowledge related activity may appear in backend logs. This is dangerous because it normalizes insecure secret handling and increases the attack surface to chat transcripts, prompt logs, agent memory, and downstream observability systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal