A Stock Analysis Litiao

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is coherent and disclosed; it only stores and edits a local portfolio file, so use the remove command carefully.

Install only if you want an agent-assisted A-share quote and local portfolio tracker. Back up the portfolio JSON if the records matter, and only run the remove command when you clearly intend to delete a holding from the local record.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes a destructive command that removes portfolio entries without documenting any confirmation prompt, backup guidance, or recovery mechanism. In an agent-driven or semi-automated workflow, this increases the risk of accidental data loss from user mistakes, prompt ambiguity, or unsafe automation invoking the delete operation directly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal