Stock AI exposure analysis for investing

Security checks across malware telemetry and agentic risk

Overview

This is a public-data investment research helper with no evidence of credential use, hidden access, persistence, or destructive behavior.

Install only if you are comfortable with the agent browsing public financial sources and producing investment-oriented labels. Verify cited filings, transcripts, patent data, and valuation metrics yourself, and pin or review the optional Python dependencies before running the helper scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill promises autonomous, evidence-based company analysis using filings, patents, transcripts, valuation data, and O*NET mappings, but the implementation apparently does not perform those fetches or derivations and instead relies on manual inputs/local occupation lookup. This is dangerous because users may trust outputs as grounded financial research when they are not, leading to misleading investment conclusions and false confidence in the analysis provenance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal