Security audit

Dongfang Caifu Research Reports

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Eastmoney research-report helper, with expected local downloads and exports but no evidence of hidden or unsafe behavior.

Before installing, review the external GitHub repository and dependencies because the executable Python code was not included in the scanned package. Use an explicit output directory, start with small download limits, and use the bulk --all option only when you intentionally want many PDFs saved locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill advertises PDF downloads and CSV/Excel exports but does not clearly warn users that these operations create files on local disk. In an agent-driven context, file-writing side effects can surprise users, lead to unintended persistence of potentially sensitive financial documents, and increase risk if output paths are not explicitly reviewed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.