Back to skill

Security audit

SEC Data Pull Forms 10K, 10Q, 8K and others fillings for companies and stocks - Finance

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public SEC filing data as advertised, with expected SEC network access and dependency hygiene notes but no evidence of hidden, destructive, or credential-seeking behavior.

Install only if you are comfortable with live requests to SEC services. Configure the SEC User-Agent with appropriate contact information, avoid sensitive personal details there, and prefer pinned or locked dependency versions in controlled environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to access the SEC EDGAR service and therefore requires outbound network access, yet no corresponding permission is declared. This creates a transparency and policy-enforcement gap: hosts may install or run the skill without understanding that it can make external requests, weakening sandboxing and review controls.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.2.0
pydantic>=2.0.0
requests>=2.28.0
beautifulsoup4>=4.12.0
Confidence
96% confidence
Finding
pandas>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.2.0
pydantic>=2.0.0
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
Confidence
96% confidence
Finding
pydantic>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.2.0
pydantic>=2.0.0
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
python-dateutil>=2.8.0
Confidence
97% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.2.0
pydantic>=2.0.0
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
python-dateutil>=2.8.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
python-dateutil>=2.8.0
Confidence
97% confidence
Finding
lxml>=4.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
python-dateutil>=2.8.0
Confidence
95% confidence
Finding
python-dateutil>=2.8.0

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
86% confidence
Finding
pydantic

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
lxml

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.