eastmoney skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Eastmoney watchlist tool, but users should be careful because it can add or delete account watchlist entries and saves query results locally.

Install only if you trust this runtime with your Eastmoney API key. Use explicit query/add/delete commands, review delete requests before running them, and remove saved CSV/JSON files if your watchlist is private.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes capabilities to read environment variables, write files, and make outbound network requests, but it declares no explicit permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess what sensitive resources the skill needs, increasing the chance of overbroad execution or unintended exposure of credentials and account data.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The skill inconsistently refers to the API credential as both `MX_APIKEY` and `EASTMONEY_APIKEY`. This can cause operators to misconfigure secrets, leading to failed authentication, accidental placement of credentials in the wrong environment variable, or insecure workarounds during troubleshooting.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal