Nasdaq Data Link

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Nasdaq Data Link connector, with a naming issue around one quote action but no evidence of hidden or malicious behavior.

Use this for Nasdaq Data Link data lookups through an OOMOL account, but do not rely on get_real_time_quote for live trading or alerts; it returns end-of-day data. Install or authenticate the oo CLI only if you trust OOMOL's installer and account connection flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The action name and metadata imply live real-time market data, but the documentation explicitly says it returns end-of-day QuoteMedia rows. This semantic mismatch can mislead downstream agents or users into making time-sensitive decisions on stale data, especially in financial contexts where freshness materially affects outcomes.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill advertises handling Nasdaq Data Link requests and this specific action presents itself as a real-time quote endpoint, yet it actually serves end-of-day data. In an agentic workflow, this can cause silent data integrity failures where trading, alerting, or analytics logic assumes current quotes but operates on stale information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal