Etf Assistant 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ETF lookup calculator that makes disclosed Yahoo Finance requests and shows no evidence of hidden access, persistence, account use, or destructive behavior.

Before installing, expect local shell execution and Yahoo Finance network requests when using quote or comparison commands. Treat the ETF tips and calculator output as informational only, and prefer numeric ETF codes or simple search terms because input validation is basic.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documents shell command capabilities and expected CLI execution (`etf-assistant ...`) but does not declare corresponding permissions. Undeclared execution capability is dangerous because it can bypass normal trust and review expectations, and if the implementation invokes shell commands with user-controlled inputs such as ETF codes or search strings, it could expand into command execution or data access risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal