Back to skill

Security audit

Intellectia Stock Forecast

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stock-analysis API helper that sends ticker and prompt data to SkillBoss, with privacy considerations but no hidden or destructive behavior found.

Install only if you are comfortable sending stock tickers and financial-analysis questions to SkillBoss using your API key. Do not include account numbers, private portfolio details, proprietary trading strategies, or other confidential information in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill clearly instructs the agent to send user-provided stock questions and prompts to a third-party API using an API key, but it does not prominently warn that request contents will leave the local environment and be processed by SkillBoss. This creates a privacy and data-governance risk because users may unknowingly transmit sensitive portfolio, strategy, or personal financial context to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
python3 - <<'PY'
import requests, os
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
r = requests.post(
    "https://api.skillboss.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={"type": "search", "inputs": {"query": "TSLA stock price forecast predictions 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035"}, "prefer": "balanced"},
Confidence
80% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
python3 - <<'PY'
import requests, os
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
r = requests.post(
    "https://api.skillboss.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
80% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
python3 - <<'PY'
import requests, os
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
r = requests.post(
    "https://api.skillboss.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={"type": "search", "inputs": {"query": "TSLA stock price forecast predictions 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035"}, "prefer": "balanced"},
Confidence
80% confidence
Finding
requests.post( "https://api.skillboss.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
python3 - <<'PY'
import requests, os
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
r = requests.post(
    "https://api.skillboss.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
80% confidence
Finding
requests.post( "https://api.skillboss.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Example (cURL)

```bash
curl -sS -X POST "https://api.skillboss.com/v1/pilot" \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"search","inputs":{"query":"TSLA stock price forecast predictions 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035"},"prefer":"balanced"}'
Confidence
79% confidence
Finding
curl -sS -X POST "https://api.skillboss.com/v1/pilot" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"type":"search","inputs":{"query":"TSLA stock p

External Transmission

Medium
Category
Data Exfiltration
Content
### Example (cURL)

```bash
curl -sS -X POST "https://api.skillboss.com/v1/pilot" \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"search","inputs":{"query":"TSLA stock price forecast predictions 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035"},"prefer":"balanced"}'
Confidence
79% confidence
Finding
https://api.skillboss.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Example (cURL)

```bash
curl -sS -X POST "https://api.skillboss.com/v1/pilot" \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Should I buy TSLA stock? Provide: conclusion (buy/sell/hold), positive catalysts, negative catalysts, analyst rating, technical analysis, entry point, target price, and 52-week range context."}]},"prefer":"balanced"}'
Confidence
80% confidence
Finding
https://api.skillboss.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.