Yfinance

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Yahoo Finance data connector, with normal caution needed around running its local web server.

Install this only if you want a local Yahoo Finance connector. For local use, prefer binding the server to 127.0.0.1, keep port 8000 off the public internet, stop the uvicorn process when finished, and use explicit market suffixes or auto_jk=false for non-Indonesian tickers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill instructs the agent to start a local web server in the background and separately install dependencies, but it does not clearly warn that this launches a persistent process and modifies the environment. In an agent setting, silent process creation and package installation can surprise users, consume resources, and expand attack surface if done automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal