Back to skill

Security audit

Company-Deep-Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed A/H-share company research workflow that gathers market data and writes analysis reports, with no evidence of credential use, exfiltration, destructive behavior, or hidden persistence.

Install only if you are comfortable with the skill running external market-data tools and creating local report files. Review generated investment conclusions independently, and avoid using it in sensitive shared environments unless you are comfortable with temporary stock-analysis data and report filenames being visible on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very generic investment and research phrases such as '公司分析', '深度分析', '行业研究', and '财务分析', which are common in ordinary conversations and can cause unintended skill activation. In an agent setting, accidental invocation can launch external data collection, produce files, and influence downstream actions without the user clearly consenting to this specific workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing table makes 'no special word' fall through to full mode, so many ordinary requests can trigger the full six-step pipeline by default. This increases the blast radius of accidental activation because the most expensive and data-writing behavior occurs when intent is least explicit.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill writes output artifacts and temporary data to disk, including report files and `/tmp/{股票代码}_data.json`, but the description does not clearly warn users about this side effect before execution. In multi-tenant or privacy-sensitive environments, undisclosed file creation can expose analysis targets, retained data, or generated content to other processes or operators.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.