Eastmoney Financial Search 1.0.2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Eastmoney financial search helper that sends user queries to Eastmoney’s API using an environment API key.

Install only if you trust Eastmoney and the package source. Use a dedicated API key if possible, avoid putting confidential or regulated information in search queries, and be aware that queries are sent to Eastmoney’s external API.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill performs sensitive actions (reading an API key from the environment, making outbound network requests, and explicitly stating results may be saved to the working directory) but does not declare corresponding permissions. This creates a transparency and governance gap: an agent or reviewer may not realize the skill can exfiltrate user queries to an external service or write retrieved data locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal