Global Commodity Today

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward commodity-price briefing tool with expected local script execution and public market-data access.

Before installing, be comfortable running the included Python script, installing akshare and pandas, and allowing public market-data requests. Treat the generated commodity prices as informational, not financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The README provides very broad natural-language trigger examples such as asking for today's commodity行情 or a commodity price, which are likely to overlap with ordinary user conversation. In an agent environment that auto-routes on semantic similarity, this can cause unintended invocation, unnecessary external data access, or response hijacking away from the user's preferred tool or workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal