Back to skill

Security audit

A股-股市分析和投资顾问(安西军项目)

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill is mostly read-only, but it adds web/forum searching, default sub-agent processing, and notification pushing without clear scoping or user control.

Install only if you are comfortable with a stock-analysis skill that may use external web/forum sources and possibly notifications. Configure TAX_API_KEY only as a secret, do not paste it in chat, require explicit confirmation before any notification or cross-agent sharing, and treat financial analysis as research rather than investment advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and safety boundary say the skill is limited to read-only /stocks queries, but the workflow expands behavior to external web/news/forum search and notification pushing. This scope mismatch can cause the agent to send user prompts or derived data to external systems the user did not expect, undermining least privilege and trust assumptions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document explicitly states the skill must only call /stocks routes, yet later instructs use of LLM web search and notification pushing. Contradictory instructions in a skill are dangerous because the broader capability may bypass the documented restriction set and leak user queries, analysis content, or sensitive context to third-party sites or downstream notification channels.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Notification pushing is mentioned without saying what data may be transmitted, to which service, under what trigger, or with what retention/security guarantees. If implemented, the skill could exfiltrate user requests, stock interests, or generated reports to an undisclosed destination, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs collecting news and forum information via web search but provides no warning that user queries or stock-related interests may be sent to external search providers or websites. This creates an undisclosed data-sharing path and increases exposure to untrusted content sources, prompt-injection attempts, and privacy leakage.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger-word list is broad enough to match many generic finance-related terms such as 指数、公告、政策法规、个股 and 行情, which can cause the skill to claim queries that are ambiguous or only loosely related. In an agent environment, over-broad routing can redirect user requests away from more appropriate tools, increasing the chance of wrong data retrieval, misleading analysis, or unintended disclosure of installed skill capabilities.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.