Back to skill

Security audit

Daily Stock Analysis v2.1

Security checks across malware telemetry and agentic risk

Overview

This stock-analysis skill uses external market, AI, and notification services as advertised, with privacy and setup risks to review but no evidence of hidden or destructive behavior.

Install in a virtual environment, pin or lock dependencies, and review setup.sh/update.sh before running them because they pull code from GitHub. Protect config.json, use limited-scope API/webhook/email credentials, enable push only for destinations you control, and avoid sending confidential portfolio, client, or strategy details to external AI providers or notification channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Tainted flow: 'proxies' from os.environ.get (line 88, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if proxy_url:
            proxies = {'https': proxy_url, 'http': proxy_url}
        
        response = requests.post(url, headers=headers, params=params, json=data, timeout=30, proxies=proxies)
        response.raise_for_status()
        
        result = response.json()
Confidence
91% confidence
Finding
response = requests.post(url, headers=headers, params=params, json=data, timeout=30, proxies=proxies)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises capabilities that imply environment access, file reads, network access, and shell execution, but it does not declare permissions or user-visible consent boundaries. That creates a hidden-privilege problem where a stock-analysis skill could perform sensitive local actions or outbound requests beyond what a user would reasonably expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is stock analysis, but the detected behavior includes cloning/updating external repositories, creating virtual environments, installing dependencies, invoking subprocesses, and embedding fixed external links. This mismatch is dangerous because users may invoke the skill for benign analysis while it performs supply-chain, execution, or outbound actions not transparently disclosed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README instructs users to configure third-party AI providers with API keys, but it does not clearly warn that stock symbols, prompts, and potentially derived analysis data may be transmitted to external services. In a finance-related skill, users may reasonably assume analysis stays local, so the missing disclosure creates a real privacy and data-handling risk even though it is documentation-level rather than an exploit primitive.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad, generic requests like '股票分析' and '问股', which can cause accidental activation during ordinary conversation. When combined with network and push capabilities, overbroad triggering increases the chance the skill runs and transmits data without the user intending to invoke it.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes push/reporting features such as Feishu, WeCom, Telegram, Discord, and email, but the description does not clearly warn that generated analysis content may be sent to third-party services. This can lead to unintended disclosure of prompts, watchlists, strategy questions, or other sensitive financial context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Gemini path transmits stock identifiers, technical indicators, and possibly fundamental data to a third-party AI service. Without clear disclosure/consent and data-handling controls, users may unknowingly send sensitive or proprietary analysis inputs off-platform, which is a real privacy and data-governance risk in an investment-analysis context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The OpenAI/DeepSeek path likewise sends prompt content containing market-analysis inputs to an external model provider. In a financial-analysis skill, undisclosed third-party transmission can expose proprietary strategies, user-entered notes, or regulated data, making this more sensitive than generic chatbot traffic.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The push_report function can send generated analysis results to external channels based solely on configuration, without an explicit runtime disclosure or confirmation at the point of transmission. In an agent/skill context, this increases the risk of unintentionally exfiltrating potentially sensitive portfolio interests, watchlists, or analysis outputs to third-party services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This function performs a direct HTTP POST to an arbitrary Feishu webhook with report content, but provides no validation, allowlisting, or user-facing disclosure before sending. If the webhook is misconfigured, attacker-controlled, or silently supplied through configuration, analysis content can be transmitted outside the expected trust boundary.

Missing User Warnings

High
Confidence
95% confidence
Finding
daily_push automatically reads configured stock lists, analyzes them, and sends results to external channels when push is enabled, with no interactive warning or confirmation. In a skill environment this is more dangerous because automated scheduled execution can repeatedly disclose trading interests, holdings proxies, and generated analysis to third parties without the user's immediate awareness.

External Transmission

Medium
Category
Data Exfiltration
Content
"ai": {
    "provider": "openai",
    "api_key": "sk-your-deepseek-key",
    "base_url": "https://api.deepseek.com/v1",
    "model": "deepseek-chat"
  },
  "data": {
Confidence
78% confidence
Finding
https://api.deepseek.com/

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖
akshare>=1.12.0
pandas>=2.0.0
numpy>=1.24.0
requests>=2.31.0
Confidence
94% confidence
Finding
akshare>=1.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖
akshare>=1.12.0
pandas>=2.0.0
numpy>=1.24.0
requests>=2.31.0
openai>=1.0.0
Confidence
95% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 核心依赖
akshare>=1.12.0
pandas>=2.0.0
numpy>=1.24.0
requests>=2.31.0
openai>=1.0.0
python-dotenv>=1.0.0
Confidence
95% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
akshare>=1.12.0
pandas>=2.0.0
numpy>=1.24.0
requests>=2.31.0
openai>=1.0.0
python-dotenv>=1.0.0
Confidence
96% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
requests>=2.31.0
openai>=1.0.0
python-dotenv>=1.0.0

# 美股数据 (可选)
Confidence
96% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.24.0
requests>=2.31.0
openai>=1.0.0
python-dotenv>=1.0.0

# 美股数据 (可选)
yfinance>=0.2.0
Confidence
94% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0

# 美股数据 (可选)
yfinance>=0.2.0

# 邮件发送 (可选)
# smtplib (内置)
Confidence
93% confidence
Finding
yfinance>=0.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# smtplib (内置)

# Markdown转图片 (可选,用于推送)
markdown-to-image>=1.0.0
Confidence
94% confidence
Finding
markdown-to-image>=1.0.0

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.