Security audit

Skills of A-share fund data released by ft.tech.

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed fund-data lookup tool that runs local Python handlers to query fixed market.ft.tech fund endpoints, with no evidence of hidden data access, persistence, or destructive behavior.

Install only if you are comfortable with the agent running the included Python scripts and sending fund lookup parameters to market.ft.tech. Do not enter unrelated private or account information into fund queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill directs the agent to read local files, invoke a Python entrypoint, and access a remote network service, but it does not declare these capabilities or bound their use. Hidden file/shell/network behavior reduces auditability and can enable unintended subprocess execution or data exposure if the skill is auto-selected or reused in a broader context.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The description and routing guidance are broad enough to match many generic fund-related requests, increasing the chance the skill is invoked when not strictly necessary. Over-broad activation is dangerous because this skill then performs code execution and network access, expanding the attack surface from ordinary user queries.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The natural-language trigger table maps common phrases like '基金详情' and '基金净值' directly to sub-skills without disambiguation or confidence checks. In context, that can cause the agent to launch subprocesses and fetch external data based on ambiguous wording, which is unsafe behavior amplification rather than mere UX imprecision.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown explicitly instructs execution of `python <RUN_PY> ...` but provides no user-facing warning that a subprocess will be launched and that remote data will be fetched. Lack of disclosure is risky because users and reviewers may believe this is a passive knowledge skill when it actually executes code with shell and network effects.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal