金融市场数据质量校验工具

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised market-data checks, but it can automatically email validation failures using hard-coded mail settings and a source-code credential.

Review before installing. Use only after removing or replacing the hard-coded SMTP credential and recipient, making alerts explicitly opt-in, and confirming logs and file paths are acceptable for your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation clearly indicates file-reading behavior (`market_data.json` input and CLI `--file` path support), but no permissions are declared. Undeclared file access weakens transparency and consent boundaries, making it easier for a skill to read unintended local files if invoked with arbitrary paths.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose is data-quality checking, but the documentation also describes outbound email alerts and local logging behavior that are not surfaced as core behavior or permissions. This mismatch is dangerous because users may supply sensitive market data assuming local validation only, while the skill may transmit failure details externally or persist them to disk without clear consent.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: A skill framed as a local validator but also advertising alert-email behavior creates a security-relevant disclosure gap. Even if the feature is operationally useful, it expands data flow beyond validation and can leak file paths, dataset contents, or business signals to external recipients.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: Listing 'terminate pipeline + send alert email' as a built-in mechanism without manifesting that external notification behavior means users and policy systems cannot accurately assess the skill's side effects. In a financial-data context, automatic notifications may expose operational status, validation errors, or embedded data fragments to outside systems.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation exposes concrete SMTP endpoints, sender, and recipient addresses that are unrelated to basic validation and may facilitate misuse, spam targeting, or unauthorized outbound transmission. Hardcoded mail infrastructure in a skill also encourages sending operational data to fixed destinations outside user control.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as a local data-quality checker, but it performs outbound SMTP email transmission on failure, creating an undisclosed network side effect. This can leak operational details and potentially sensitive validation results to an external recipient, which is especially risky in enterprise environments handling financial data.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The file contains hard-coded SMTP configuration and an authentication secret directly in source code. Embedded credentials are easily exposed through source control, logs, packaging, or reuse, enabling unauthorized access to the mail account and abuse for exfiltration, impersonation, or spam.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The documentation states the tool only performs validation and returns pass/reject plus reasons, but the implementation also sends alert emails. This mismatch is dangerous because users and integrators may run it assuming no external side effects, leading to unexpected data disclosure and bypass of approval or network-control expectations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill mentions sending alert emails but does not warn that data related to validation failures may leave the local environment. Without clear notice of outbound transmission and disclosure risk, users may unknowingly process sensitive financial data under incorrect assumptions about privacy and locality.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Publishing hardcoded alert email endpoints without warnings about credentials, privacy, or outbound behavior increases the risk of accidental disclosure and insecure operational setup. In practice, operators may deploy the skill with sensitive defaults, causing silent transmission of internal validation failures or dataset context to fixed external addresses.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal