Back to skill

Security audit

Skills of ETF data released by ft.tech.

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ETF market-data lookup tool that contacts a fixed market-data service and only writes a PCF file when the user asks it to.

Install if you are comfortable with ETF query details being sent to market.ft.tech and with the agent running the included Python handlers. When downloading PCF XML, choose the output filename carefully to avoid overwriting a local file in the allowed working directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description includes broad trigger phrases such as queries about an ETF's '盘前' or even a bare symbol like '510300 盘前', which can overlap with ordinary user language and cause the agent to invoke this skill when the user's intent is ambiguous. Overly permissive activation increases the chance of unintended external data access, wrong-tool selection, and misleading answers based on the wrong endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.