Baostock Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a stock-data skill, but it can turn user-supplied stock query fields into shell commands on the user's machine.

Install only after the maintainer replaces exec with a safe argument-array subprocess call, validates stock symbols/dates/frequencies/types, uses package-relative bundled scripts, and narrows file access to the skill directory plus a documented cache/output path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill builds a shell command from untrusted input fields and executes it via child_process.exec, which invokes a shell. Because arguments like symbol, type, and dates are concatenated directly into the command string without escaping or validation, an attacker can inject shell metacharacters and execute arbitrary commands on the host running the skill.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill launches a local executable as a subprocess without any disclosure to the user, which hides a sensitive capability from the calling context. In this specific file, that hidden subprocess execution is more dangerous because it is combined with unsanitized command construction, increasing the chance of unexpected code execution or data access without user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal