Skills of convertible bond data released by ft.tech.

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed market-data helper for A-share convertible bond lookups and does not show hidden access, persistence, or data-changing behavior.

Install only if you are comfortable running bundled Python scripts that send market-data queries to market.ft.tech. Use it for convertible-bond and related A-share candlestick lookups, and treat returned market data as informational rather than trading advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough that the skill may be invoked for general finance or stock-history questions, not just convertible-bond use cases. Over-broad routing can cause unintended tool execution and external data disclosure to a third-party service, especially when the skill also instructs shell-based execution of `run.py` and network access to a market data domain.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal