Back to skill

Security audit

Financial data fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill mostly provides financial-data tooling, but it also includes under-scoped controls that can change a TongDaXin client and includes an undisclosed order-submission primitive.

Install only if you intend to let the agent interact with a local TongDaXin TQ client beyond read-only data lookup. Treat sector deletion/clearing, file sending, alert publishing, cache refreshes, subscriptions, and any direct library use of order_stock as privileged actions that should require explicit user approval and should not be exposed to broad automatic financial-data requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill is documented as a data-fetching tool, but the available commands include operations that can write or alter state, such as creating, renaming, deleting, and clearing custom sectors, and downloading files. When state-changing or file-writing capabilities exist without an explicit permissions declaration, users and orchestration systems may underestimate the tool's authority and invoke it in unsafe contexts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose is limited to financial data retrieval, but the documented behavior extends to modifying user-defined sectors, changing subscription state, refreshing caches, downloading files, exporting data, interacting with the formula engine, and even providing trading/order-related capability per the analyzer summary. This kind of description-behavior mismatch is dangerous because it conceals privileged or high-impact functionality behind a benign label, increasing the chance of unintended activation and misuse.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Although framed as a financial data fetcher, the skill also documents commands that modify custom sectors and manage subscriptions, which are not purely read-only retrieval functions. In context, this makes the skill more dangerous because users may trust it as informational while it can change application state and persist side effects.

Description-Behavior Mismatch

Low
Confidence
70% confidence
Finding
The documentation includes a file download capability that is not reflected in the narrow data-fetching description. Even if intended for legitimate market-data retrieval, download functionality introduces storage, integrity, and trust-boundary risks that should not be hidden behind a read-only label.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This library is presented as a financial data fetcher, but it also exposes state-changing capabilities including order submission, sending data/messages to the host application, and manipulating user-defined sectors/watchlists. In an agent-skill context, that scope expansion is dangerous because a caller expecting read-only market data may unknowingly trigger trading or portfolio/view modifications through the same interface.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring states the order API has no real functionality, but the implementation directly calls dll.SetNewOrder and can submit orders if the DLL/backend honors the request. Mislabeling a live trading primitive as inert is especially risky in an agent environment because developers or users may invoke it during testing or analysis under false assumptions and cause real financial transactions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring says quote subscription has no actual functionality, but the code registers a ctypes callback and invokes DLL subscription functions, creating real external side effects and data flows. While less severe than order placement, deceptive documentation around live subscriptions can still mislead users about network activity, callback execution, and runtime behavior in a privileged desktop trading environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented `create_sector` API performs a state-changing operation in the client, which conflicts with the skill's stated purpose of only fetching financial data. This can mislead users or downstream agents into invoking a mutating action under a read-only trust model, causing unauthorized or unexpected changes to local trading/watchlist configuration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented function performs a destructive action by deleting a custom sector, while the skill is ներկայացվում as a financial data fetcher. This creates a capability/scope mismatch that can mislead integrators or users into granting trust to a tool that can modify or destroy client-side data.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
A custom sector deletion API is not justified by the stated purpose of fetching financial data and introduces unnecessary destructive capability. Excess privileges increase the risk of accidental misuse, deceptive packaging, or abuse by an agent acting under ambiguous instructions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented capability performs a state-changing operation by renaming a custom sector in the local Tongdaxin client, which exceeds the declared scope of a financial data fetcher. This mismatch can mislead users or downstream agents into invoking write-side functionality under the assumption that the skill is read-only, increasing the risk of unauthorized or unintended modification of user configuration/data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The article and examples go beyond passive financial data retrieval and perform client-side state changes by writing selected stocks into a user block/watchlist. In a skill advertised as a data-fetching tool, this creates an integrity risk because running examples can silently modify the user's trading client state and influence later trading workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The example emits live client-side warnings via send_warn, and the surrounding text notes these alerts can be used to open order-entry flows directly. That is a material action capability outside a data-fetching scope, and without strong user acknowledgment it can cause operational disruption, alert fatigue, or unintended trading decisions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This example writes screening output into a user-defined block, which modifies persistent client-side state rather than merely fetching data. In the context of a data retrieval skill, that mismatch increases the chance that users run the code expecting read-only behavior and unintentionally alter watchlists or downstream screening setups.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented capability exceeds the skill's stated purpose of only fetching financial data by including alerting, backtest stream publication, and client-directed actions. This broadens the trust boundary and can mislead operators into enabling a skill that can push data into a logged-in trading client, increasing the chance of unintended signaling or data manipulation workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The examples show arbitrary local file transfer to the TongdaXin client via tq.send_file(), which is unrelated to simple financial data retrieval and can expose sensitive local documents. Because the file path is controlled by the script and the client must be logged in, this creates a clear data exfiltration or unintended disclosure channel into another trusted application context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Publishing warning signals and backtest data is broader than a read-only market-data fetcher and enables the skill to inject operational or analytical content into the trading client. In this context that is dangerous because users may grant trust based on the narrower description and not expect the skill to generate or transmit decision-affecting signals.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented API allows sending a specified local file to the client, including by absolute path, which creates a file exfiltration capability beyond the stated purpose of a financial data fetching skill. In a plugin or agent context, such a primitive can be abused to disclose sensitive local files if untrusted input can influence the file path or if the broader skill is over-privileged.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation explicitly states that files outside the plugin folder may be sent using an absolute path, enabling arbitrary local file transfer to the client. Because the skill is described as a financial data retrieval tool, this capability is not justified by context and materially increases the risk of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file materially exceeds a data-fetching role by computing trading signals, sending warnings, and guiding the user into a rapid buy/sell workflow. In a skill presented as a financial data retrieval tool, this capability expansion increases the chance of unauthorized or unsafe trade facilitation, especially when paired with an already logged-in brokerage account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code invokes send_warn and the markdown instructs users to open fast buy/sell interfaces based on generated signals, which is trade-execution assistance rather than mere analytics. This is dangerous because users may act on automated prompts without adequate review, causing unintended orders or account-position changes in an environment that appears to be only for data access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script performs a destructive modification operation (`tq.clear_sector`) even though the skill is ներկայացված as a financial data-fetching tool. This mismatch increases the chance that users or higher-level agents invoke it expecting read-only behavior, causing unintended deletion of custom sector constituents.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script description and behavior explicitly clear custom sector members, which contradicts the declared purpose of a data retrieval skill. In agentic environments, capability misrepresentation is a security issue because it can bypass user expectations, policy routing, or permission boundaries designed for read-only tools.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script performs a state-changing operation by creating a custom sector, while the skill is described as a financial data retrieval tool. This capability mismatch is dangerous because users or higher-level agents may authorize the skill expecting read-only access, but the script can modify platform resources and organizational data structures.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The inline description clearly indicates creation of a custom sector, which contradicts the surrounding fetch/read-oriented skill purpose. While not directly exploitable on its own, this inconsistency increases the risk of deceptive or unsafe tool use by causing operators and automated agents to misunderstand the script's write capability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.