Back to skill

Security audit

Fund Daily Report

Security checks across malware telemetry and agentic risk

Overview

This finance-report skill is not overtly destructive, but it needs review because it embeds third-party login credentials and can present proxy metrics as fund-flow or holding-change data.

Install only if you are comfortable with a finance-reporting skill that contacts external market-data services and currently contains a hard-coded JQData login. Treat the report as heuristic market screening, not verified fund-flow, subscription, or holding-change analysis; the embedded credential should be removed and rotated before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation claims to identify funds with the most capital inflow, but the ranking is based on 1-month performance as a proxy rather than actual flow data. This is dangerous because users may rely on incorrect financial signals, making decisions based on mislabeled analytics that appear authoritative.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The skill claims to report stocks most increased by funds, but the described method uses generic A-share market data and a synthetic score unrelated to actual fund holding changes. In the finance context, this can mislead users into believing the output reflects institutional position changes, which may materially distort analysis or trading decisions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The fallback path authenticates to JQData with hard-coded credentials even though the skill is described as using public 天天基金网/东方财富 data. Embedded secrets can be extracted by anyone with code access and abused for unauthorized third-party access, billing, quota exhaustion, or account compromise.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger rules are overly broad and mandatory, causing the skill to activate for many ordinary fund-related requests without sufficient scoping. In an agent system, this can route users into a tool that may provide misleading or overclaimed financial analysis even when a narrower or safer response path would be more appropriate.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Ambiguous trigger phrases like ordinary mentions of fund topics can cause unintended activation, increasing the chance that the skill is used outside its validated scope. Because the skill already contains documentation/behavior mismatches, accidental invocation raises the risk of spreading inaccurate or unsupported financial conclusions.

Missing User Warnings

High
Confidence
99% confidence
Finding
An embedded credential is used for external authentication without disclosure, which exposes a reusable secret directly in source code. In a skill context, this is especially dangerous because the code may be distributed, inspected, or logged, enabling unauthorized use of the third-party account and hidden outbound access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback silently contacts JQData, a third-party service not disclosed in the skill description, expanding the data-sharing and network trust boundary. Even if the queried data seems non-sensitive, undisclosed outbound requests can leak usage metadata, violate user expectations, and create compliance/privacy issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.