Back to skill

Security audit

US Stock Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed stock-analysis helper that fetches market data and produces buy-signal style reports, but it does not trade, access brokerage accounts, or hide unrelated behavior.

Install only if you are comfortable running Python market-data tools from this publisher. Provide any FMP key through a private environment variable or local config, and treat generated buy signals, targets, stop losses, and portfolio percentages as informational model output that needs independent review or licensed financial advice before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares executable capabilities in metadata and usage instructions that require environment access, package installation, Python execution, and network-based data retrieval, but it does not explicitly declare corresponding permissions. This creates a trust and review gap: a host may treat the skill as low-privilege while it can still access API keys, fetch external data, and read/write local files through its scripts and tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The report presents an explicit BUY signal and recommends a 10% portfolio allocation before any meaningful warning or suitability caveat appears. In a stock-analysis skill, this is risky because users may act on the recommendation as personalized investment guidance, potentially leading to financial harm if the analysis is wrong or inappropriate for their risk profile.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI prints a clear binary "Buy Signal: YES/NO" recommendation despite using a simplified DCF model with heuristic assumptions, fallback estimates, and incomplete treatment of debt/cash. In an investment-analysis skill, presenting this as an actionable signal without an explicit disclaimer or uncertainty framing can mislead users into treating speculative model output as financial advice, increasing the chance of harmful financial decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI prints a clear buy/no-buy style market signal, risk assessment, and sentiment score directly to the user without any disclaimer that the output is informational, model-driven, and not financial advice. In a stock-analysis skill, this materially increases the chance that users act on the output as trading guidance, especially because the surrounding language presents the result as actionable decision support.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.