Security audit

A Stock Trading Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed China A-share quote and analysis helper with financial-advice risk, but no hidden credential access, trading-account control, or deceptive behavior was found.

Install only if you want an A-share-focused market analysis assistant. Treat outputs as informational, not licensed financial advice or a guarantee; verify data and assumptions independently, especially for ambiguous tickers or non-A-share markets. Stock codes you ask about are sent to public finance data providers, and alert details may be stored locally if you use the watchlist workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill's invocation description is broad enough to activate on many generic investment or stock-related queries, which can cause the assistant to enter a high-risk financial-advice workflow without clear user intent boundaries. In a trading context, over-triggering increases the chance of unsolicited or mis-scoped market advice, potentially misleading users or bypassing safer general-response behavior.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill forces a specific market, locale, and service scope without offering user confirmation, which can lead to incorrect assumptions about the user's intent and produce mismatched financial guidance. In a regulated and high-stakes domain like stock trading, silently constraining outputs to A-shares and Chinese-language assumptions raises the risk of unsuitable advice or omission of relevant context.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document gives concrete stock trading and position-sizing guidance, including buy/sell signals, risk levels, and recommended仓位, without any disclaimer that it is informational only and not financial advice. In an agent skill context, users may treat this as authoritative guidance and make real financial decisions, creating avoidable financial harm and potential compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.