Groundapi Market Briefing

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward A-share market briefing skill that uses a disclosed GroundAPI MCP endpoint and API key to fetch public market/news data.

Install this only if you intend to use GroundAPI for market data. Configure your own GROUNDAPI_KEY, treat it as a secret, and expect market/news requests and any user-provided sector focus to be sent to GroundAPI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger section includes broad language such as '类似以下表达时自动触发' and generic prompts like '市场简报' or '今天A股怎么样', which can cause the skill to activate in contexts beyond the user's actual intent. Over-broad activation increases the chance of unnecessary external tool calls and unintended disclosure of user queries or context to the remote MCP service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation instructs configuration of a remote MCP endpoint and includes transmission of an API key in request headers, but it does not clearly warn users that requests and possibly user-derived market queries will be sent to an external service. This creates a data-sharing and credential-handling risk, especially if users or deployers assume the skill operates locally or do not understand what information leaves the system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal