Back to skill

Security audit

Stock Tech Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward stock-analysis skill that fetches public Yahoo Finance prices and prints technical indicators without credentials, persistence, or local data access.

Install only if you are comfortable with the skill contacting Yahoo Finance for public stock data. Treat its output as educational technical analysis, not financial advice; the provided artifacts do not show suspicious security behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly states it uses Yahoo Finance public API data, which means it performs network access despite having no declared permissions. This creates a permissions transparency issue: users and hosting platforms may not expect outbound requests, and undeclared network access can expose metadata, enable unintended data exfiltration paths, or violate platform policy even if the stated use is legitimate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.