Security audit

Cn Stock Volume

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chinese A-share market report helper that uses expected public market-data queries and local report files, with no evidence of hidden persistence, credential access, or destructive behavior.

Install only if you are comfortable with public market-data lookups involving iwencai.com and with reports being stored locally, including under your Desktop report folder. Do not enter confidential trading research, account details, or proprietary identifiers as custom query text or manual report data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script constructs a URL to an external website using user-supplied query text and explicitly indicates it will access iwencai.com, but it does not provide a clear user-facing privacy warning or require confirmation before transmitting the query off-system. This can expose potentially sensitive search terms, internal identifiers, or user intent to a third-party service, especially in an agent environment where users may not realize network egress is occurring.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal