Dynamic code execution detected.
Critical
- Code
- suspicious.dynamic_code_execution
- Location
- index.js:46470
Security audit
银行外汇牌价
Security checks across malware telemetry and agentic risk
Overview
This skill appears to only fetch public foreign-exchange rates from supported Chinese banks and return them as JSON.
Install only if you are comfortable running a bundled Node.js script that makes outbound requests to Chinese bank sites for live exchange-rate data. It does not appear to need credentials or local file access, but cautious users should compare the bundle with the linked source repository before use in sensitive environments.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.
Static analysis
Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)
Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.js:15213
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:19938
Potential obfuscated payload detected.
Warn
- Code
- suspicious.obfuscated_code
- Location
- index.js:5380