Back to skill

Security audit

Hs300 Research V5

Security checks across malware telemetry and agentic risk

Overview

This finance research skill is purpose-aligned overall, but it should be reviewed because it ships live third-party credentials and its documentation understates enabled credentialed data access.

Review before installing. Treat the bundled JQData and Tushare credentials as exposed and rotate or remove them. Only install after replacing provider secrets with your own environment-managed credentials, disabling unwanted external data sources, and deciding whether pywencai query text, optional cookies, caches, logs, reports, and downloaded PDFs are acceptable in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes live JQData credentials directly in source code via jq.auth('13918681158', 'Yindb1158'). Embedded credentials are easily exposed through source control, logs, packaging, or downstream redistribution of the skill, enabling unauthorized access to the third-party account and any associated paid data entitlements.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The skill exposes announcement PDF download functionality that goes beyond the declared analytics/research scope, increasing the agent's ability to fetch and persist arbitrary external files. In an agent setting, file download primitives expand the attack surface for SSRF-like misuse, storage abuse, and unsafe downstream processing of untrusted documents, especially if attach_path or save_dir are not tightly validated in the downstream fetcher.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation says JQData is disabled, but the code still imports credentials, authenticates, and performs JQData queries in multiple methods. This mismatch can cause operators to unknowingly enable external data access with stored secrets, violating least surprise and potentially exposing credentials or regulated data flows in environments that believed the integration was off.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file embeds live JQData credentials and immediately uses them for authentication, which is a real secret-exposure vulnerability regardless of the surrounding documentation. In an agent skill context, this is especially dangerous because anyone with code or logs access may reuse the account, consume paid quota, access associated data, or pivot into other systems if the password is reused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The username and password are embedded directly in the skill and are not necessary to expose in source form to accomplish the analytical purpose. This creates a straightforward credential leakage path through repositories, package artifacts, prompts, crash reports, or downstream model/tool visibility.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill says it 'must' be used for broad classes of stock-analysis requests, which can cause over-triggering on common finance prompts. Overly broad activation is risky because it may route ordinary requests into a networked, data-fetching workflow without necessity, increasing exposure to third-party services and reducing user control.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The 'when to use' section enumerates many scenarios without boundaries, making the skill applicable to a wide range of routine investment questions. In context, this is more dangerous because the skill couples broad invocation with automatic external data collection, so unnecessary activations can trigger avoidable network access and third-party data sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic multi-source collection and natural-language pywencai queries but does not warn users that prompts or query terms may be transmitted to third-party services. This is dangerous because user-provided investment interests, watchlists, or proprietary screening logic could be disclosed externally without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
Using hardcoded authentication credentials without any notice to the user means the skill silently relies on a third-party account the operator may not control or realize is being used. This increases the risk of credential misuse, unauthorized billing/data access, and accidental propagation of sensitive secrets when the skill is shared or deployed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code makes external requests to JQData to retrieve market and fundamentals data without prior disclosure that stock symbols, query parameters, and access metadata will be sent to a third-party service. In a research skill that may be triggered on user requests, this can create unnoticed data-sharing, compliance, and privacy issues, especially in enterprise or regulated environments.

Missing User Warnings

High
Confidence
98% confidence
Finding
The call to jq.auth uses a hard-coded phone number and password with no safer handling, no warning, and no boundary between code and secrets. In a skill that may be shared, inspected, or executed in multi-tenant environments, this materially increases the chance of unauthorized account use and silent third-party dependency abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded account credentials are a real secret exposure. Anyone with access to the repository, package, logs, or copied skill files can reuse these credentials to access the JQData account, consume paid resources, exfiltrate account-linked data, or pivot into other systems if the password is reused. In a research/agent skill context, embedding live credentials is especially dangerous because skills are often shared, versioned, and deployed across multiple environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module sends arbitrary natural-language queries and an optional authentication cookie to the external pywencai service, but provides no user-facing disclosure, consent, or redaction controls. In this skill context, user prompts may contain sensitive research intent, proprietary screening logic, or account-linked session cookies, so silent transmission to a third-party data provider creates a real privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.