A Stock Analysis.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A-share stock quote and local portfolio tracker with expected network quote lookups and local portfolio file writes.

Install if you want A-share quote analysis and simple local portfolio tracking. Be aware that portfolio details are saved locally, remove/update commands edit that file immediately, and quote analysis sends stock symbols to Sina Finance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill exposes commands that add, update, and remove portfolio entries in a local JSON file, but the usage examples do not clearly warn the user that these operations perform persistent local writes. In an agent setting, this can lead to unintended modification of user data or stateful side effects if the commands are invoked without explicit confirmation.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill states that it uses Sina Finance and Eastmoney interfaces to retrieve stock data, but it does not clearly warn that stock symbols and query activity will be sent to third-party network services. In agent-driven environments, undisclosed outbound requests can create privacy, compliance, or policy issues, even if the transmitted data is not highly sensitive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal