Back to skill

Security audit

india-market-intelligence

Security checks across malware telemetry and agentic risk

Overview

This is a market-information skill that fetches public market data and news, but its trading-style outputs should be treated as informational rather than financial advice.

Install only if you are comfortable with the skill making outbound requests to public finance/news providers and sending ticker symbols or watchlist queries to those services. Treat all trading signals, risk scores, and recommendations as educational market commentary; verify data from official sources and do not rely on it as sole financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill mentions data sources and a financial disclaimer, but it does not clearly warn users that commands transmit requests to external providers and may include user-specified tickers or other query inputs. This weakens informed consent and may surprise users in restricted or privacy-sensitive environments, especially when monitoring custom watchlists or region-specific queries.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document actively encourages trading and investment workflows before prominently disclosing that the data may be delayed, inaccurate, or unsuitable for direct decision-making. In a market-intelligence skill, this increases the chance that users or downstream agents act on stale or incorrect information, causing financial harm or over-trusting AI-generated analysis.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The script makes outbound requests to Yahoo Finance, RSS feeds, and other external services without clearly informing the user that network access will occur. In agent/skill contexts, undisclosed external access is a meaningful security and privacy concern because it can violate user expectations, leak metadata such as IP/addressing and query interests, and bypass environments that expect explicit consent for network use.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The output includes direct action-oriented trading guidance such as BUY, SELL, LONG, SHORT, EXPAND, and AGGRESSIVE without verifying the user's role, sophistication, or explicit request for actionable financial advice. In this skill context, that is more dangerous because the tool is marketed as market intelligence for live trading decisions, so users may over-trust heuristic outputs and take harmful real-world actions based on unqualified recommendations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.