Yahoo Finance News

Security checks across malware telemetry and agentic risk

Overview

This skill fetches Yahoo Finance headlines for requested symbols and stores a small local cache; its main issue is broad wording that could make an agent choose it too often.

Install this if you are comfortable with pip installing yfinance, sending requested ticker symbols to Yahoo Finance through that library, and keeping cached public headline results locally. Agents should use it only for explicit ticker or Yahoo Finance news requests, not broad general-news questions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to capture generic financial-news queries, which can cause the agent to invoke this skill outside its intended symbol-specific scope. That increases the chance of inappropriate tool activation, unnecessary network calls, and misleading responses when user intent is broader than Yahoo-symbol headline retrieval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal